Point-of-sale (PoS) malware has become one of the chief weapons used by attackers to steal credit and debit card data, and now researchers at Trend Micro say they have found yet another threat to add to the list of tools in criminals’ toolboxes.
The malware is dubbed PwnPOS, and has managed to stay under the radar despite being active since at least 2013. According to Trend Micro, it has been spotted targeting small-to-midsized businesses (SMBs) in Japan, Australia, India, Canada, Germany, Romania and the United States.
Trend Micro Threat Analyst Jay Yaneza called PwnPOS an example of malware that’s been “able to fly under the radar all these years due to its simple but thoughtful construction.”
“Technically, there are two components of PwnPOS: 1) the RAM scraper binary, and 2) the binary responsible for data exfiltration,” he explained in a blog post. “While the RAM scraper component remains constant, the data exfiltration component has seen several changes – implying that there are two, and possibly distinct, authors. The RAM scraper goes through a process’ memory and dumps the data to the file and the binary uses SMTP for data exfiltration.”
The malware targets devices running 32-bit versions of Windows XP and Windows 7. One of the keys to the malware’s stealth appears to be its ability to remove and add itself from a list of services on the PoS device.
“Most incident response and malware-related tools attempt to enumerate auto-run, auto-start or items that have an entry within the services applet in attempt to detect malicious files,” Yaneza blogged. “Thus, having parameters that add and remove itself from the list of services allows the attacker to “remain persistent” on the target POS machine when needed, while allowing the malicious file to appear benign as it waits within the %SYSTEM$ directory for the next time it is invoked.”
PwnPOS enumerates all running processes and searches for card information. Afterward, the stolen data is dumped into a file and ultimately emailed to “a pre-defined mail account via SMTP with SSL and authentication,” the researcher blogged.
Cybercriminals have increasingly been turning to ready-to-use point-of-sale malware kits. According to security firm Crowdstrike, such kits can cost from as little as tens of dollars to thousands depending upon their complexity.