Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

New PoS Malware Hits E-kiosks and Ticket Vending Machines

Researchers at IntelCrawler have identified a new strain of point-of-sale (PoS) malware targeting e-kiosks and ticket vending machines.

Researchers at IntelCrawler have identified a new strain of point-of-sale (PoS) malware targeting e-kiosks and ticket vending machines.

The firm has dubbed the malware ‘d4re|dev1|’. The malware is hitting mass transit systems, and acts a backdoor that gives attackers remote administration capabilities. It also has RAM scrapping and keylogging features.

“For today, we have identified close to 80 compromised merchants in EU/US/AUS,” IntelCrawler CEO Andrew Komarov said in an email to SecurityWeek. “We see active growth of this malware, having pretty similar functions of famous RAM scrapping trojans, but with some advanced features…for password interception within the sessions of specific retail management systems.”

The malware has a “File Upload” option that can be used for updating the payload remotely, according to the firm.

Point of Sale Malware“The process of malware was masked under “PGTerm.exe” or “hkcmd.exe”, as well as legitimate names of software such as Google Chrome,” IntelCrawler explained in a blog post. “Adversaries use this option for the installation of additional backdoors and tools, which allows them to avoid infrastructure limitations and security policies designed for detection. This broad lateral approach shows that serious cybercriminals are not interested in just one particular Point-of-Sale terminal – they are looking for enterprise wide network environments, having tens of connected devices accepting payments and returning larger sets of spoils to their C2 [command-and-control] servers.”

Ongoing investigations have revealed that some operators of point-of-sale terminals have used their terminal for gaming and other web surfing, such as email and visiting social networks. These cases have a common denominator of weak passwords and logins, many of which were found in large third-party breaches, according to the firm.

“Some recent POS investigations have revealed organized crime groups distributing malicious code and compromising networking environments of merchants and credit card devices, including ticket vending machines and electronic kiosks installed in public places and mass transport systems,” according to the company. “One of the compromised devices was found in Sardinia in August 2014, giving the bad actors unauthorized access to it through VNC.”

Komarov said that the attackers are installing the malware using unsecure remote administration channels, including tools like TeamViewer and pcAnywhere. In some cases, the attackers are looking for specific retail management systems in order to compromise them using application vulnerabilities as well.

“We advise to secure [these] devices properly, and not to connect them to public static IPs or to organize insecure remote administration channel to them,” he said. “All the traffic should be [encapsulated] into VPN, as well as ACL list should be created to define trusted hosts for connections.”

Earlier this year, IntelCrawler discovered Nemanja, a botnet comprised of roughly 1,500  terminals and other systems, and POSCLOUD, which targets cloud-based PoS software used by many grocery stores, retailers, and other small businesses.

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.