Worm Capabilities Added to FighterPOS Malware

The developers of the point-of-sale (PoS) malware known as FighterPOS have added worm capabilities to their creation, and the number of infections detected in the United States has increased over the past period.

Trend Micro reported in April 2015 that a new PoS malware family had infected the systems of more than 100 organizations in Brazil, helping cybercriminals steal over 22,000 unique credit card records.

Initially sold for more than $5,000 worth of Bitcoins, FighterPOS continues to evolve, and while over 90 percent of infections still appear to be in Brazil, the number of infections detected by the security firm in the US now represents 6 percent of the total, up from 1 percent reported in April 2015.

Experts’ assumption that FighterPOS operators have started targeting the United States is also backed by the fact that new samples of the malware include strings written in English, instead of Portuguese. 

Trend Micro has come across two new FighterPOS samples: a lightweight version detected as TSPY_POSFIGHT.F, and a more sophisticated variant detected as WORM_POSFIGHT.SMFLK and dubbed “Floki Intruder.”

Similar to older versions of FighterPOS, Floki Intruder can disable the firewall, User Account Control (UAC) and other Windows protections, and it can detect the presence of security products using Windows Management Instrumentation (WMI). Just like previous variants, Floki Intruder is delivered via hijacked websites and it’s capable or receiving updates from its command and control (C&C) servers.

One noteworthy feature added to Floki Intruder allows the threat to infect all PoS terminals on a network. The malware enumerates logical drives and drops copies of itself along with an autorun.inf file using WMI. The autorun.inf file is used to execute the malware when the targeted logical drive is accessed.

“Adding this routine, in a way, makes sense: given that it is quite common for PoS terminals to be connected in one network, a propagation routine will not only enable the attacker to infect as many terminals as possible with the least amount of effort, it will also make this threat more difficult to remove because reinfection will occur as long as at least one terminal is affected,” Trend Micro researchers said in a blog post.

The lightweight FighterPOS variant found by Trend Micro is only designed to connect to the attacker’s server to send payment card logs collected by other PoS malware that is designed to scrape the RAM for valuable information. TSPY_POSFIGHT.F doesn’t accept backdoor commands and it cannot obtain information on the infected machine.

Researchers discovered several new PoS malware families last year, including NitlovePoS, PoSeidon, MWZLesson, MalumPOS, Cherry Picker and AbaddonPOS.

Related: Operation Black Atlas Continues to Compromise PoS Systems

Related: Botnet Takes “Shotgun” Approach to Hack PoS Systems