Researchers at FireEye have identified a new strain of point-of-sale (POS) malware being used in a spam campaign.
The malware has been dubbed NitlovePoS and can capture and exfiltrate both track one and track two data from payment cards by scanning the running processes of the compromised machine. According to FireEye, cybercriminals have launched an attack campaign using emails with subject titles such as ‘My Resume’ and ‘Any Openings?’. The campaign is believed to have started May 20. Inside the emails is an attachment that is disguised as a resume but is actually a Word document with an embedded malicious macro.
“To trick the recipient into enabling the malicious macro, the document claims to be a ‘protected document’,” blogged FireEye researchers Nart Villeneuve and Daniel Regalado. “If enabled, the malicious macro will download and execute a malicious executable from 80.242.123.155/exe/dro.exe.”
The cybercriminals behind this operation have been updating the payload, the researchers explained. The two payloads FireEye has observed beacon to the same server from which they are downloaded. They then receive instructions to download additional malware hosted on the server.
“We focused on the “pos.exe” malware and suspected that it maybe targeted Point of Sale machines,” the researchers blogged. “We speculate that once the attackers have identified a potentially interesting host form among their victims, they can then instruct the victim to download the POS malware. While we have observed many downloads of the various EXE’s [hosted] on that server, we have only observed three downloads of “pos.exe”.”
The malware adds itself to the Run registry key to guarantee it will run after every reboot, they explained.
“NitlovePOS expects to be run with the “-” sign as argument; otherwise it won’t perform any malicious actions,” the researchers blogged. “This technique can help bypass some methods of detection, particularly those that leverage automation.”
“If the right argument is provided, NitlovePOS will decode itself in memory and start searching for payment card data,” they continued. “If it is not successful, NitlovePOS will sleep for five minutes and restart the searching effort.”
NitlovePoS is just one of several pieces of POS malware that have appeared so far in 2015, which has seen the emergence of malware such as Punkey and FighterPOS. According to market research firm ABI Research, the growing focus on POS systems by attackers will boost the market for security solutions aimed at protecting the point-of-sale environment. In particular, the firm cited next-generation firewalls as a key technology for enforcing network segmentation.
“The key advantage that NGFW (next-generation firewalls) provides for network segmentation is application servers and data can be designated in different segments based on their risk factors and security classifications, with access to them tightly controlled,” said Monolina Sen, ABI Research’s senior analyst in digital security, in a statement.
ABI Research predicts the number of POS-related security incidents with confirmed data exposure will increase by the end of 2015.
“Even cybercriminals engaged in indiscriminate spam operations have POS malware available and can deploy it to s subset of their victims,” the FireEye researchers noted. “Due to the widespread use of POS malware, they are eventually discovered and detection increases. However, this is followed by the development of new POS with very similar functionality. Despite the similarity, the detection levels for new variants are initially quite low. This gives the cybercriminals a window of opportunity to exploit the use of a new variant. We expect that new versions of functionally similar POS malware will continue to emerge to meet the demand of the cybercrime marketplace.”
