A newly discovered Point of Sale (PoS) malware dubbed LockPoS appeared in the wild and it is being delivered through the FlokibotÂ botnet.
A newly discovered Point of Sale (PoS) malware is being delivered via a dropper that is manually loaded and executed on the targeted systems, Arbor Networks Security researchers warn.
Arbor Networks researchersÂ discoveredÂ a newÂ Point of Sale (PoS) malware, dubbedÂ LockPoS,Â in the threat landscape.
LockPoS uses command and control (C&C) infrastructure used by theÂ FlokibotÂ against Brazilian users.
The Floki bot is a banking Trojan based on Zeus that has been sold on cybercrime underground since September 2016. The malware was developed starting from theÂ ZeusÂ source code that was leaked in 2011, it isÂ offered for $1,000 worth of bitcoins.
The experts from FlashpointÂ who discovered it in the wild in December speculated that the Floki Bot has a Brazilian origin, the threat actor behind the malware was using the âflokibotâ moniker and communicated in Portuguese. It targeted Brazilian IPs and domains and targeted systems having default language set to Portuguese.
The LockPoSÂ the malware has been compiled in late June and to use a dropper that injects the malicious code directly into theÂ explorer.exeÂ process.
The malware has to be manually loaded and executed, then the dropper continues by extracting a resource file from itself that contains multiple components that are injected intoÂ explorer.exe.Â and that works as a second-stage loader. Next, the malicious code decrypts, decompresses, and loads the final LockPoS payload.
LockPoS implements a regular âregistry runâ method for persistence and obfuscates important strings using XOR and a key of âAâ.
âLockPoS uses the regular âregistry runâ method for persistence. It obfuscates important strings using XOR and a key of âAâ. An initial configuration (which includes the C2 URL) is stored unencrypted as a resource named âXXXXâ:âÂ statesÂ the analysis.
âC2 communications are via HTTP and using a very telling User-Agent.Â â
The malwareâs communication with the C&C server via HTTP,once infected a machine, it sends back to the server several information including username, computer name, and bot ID, Bot version (184.108.40.206), CPU, Physical memory, Display devices, Windows version and architecture, and MD5 hash of currently running sample.
âThe malwareâs PoS credit card stealing functionality works similarly to other PoS malware: it scans the memory of other running programs looking for data that matches what credit card track data looks like. Hereâs a snippet of the matching function,â continues the analysis.Â
The LockPoS has been distributed via a Flokibot botnet, it is likely by the same threat actors that is focused on Brazilian users.
Experts highlighted that hackers used the same C&C at treasurehunter[.]at was used in another PoS malware campaign spotted by FireEye last year and tracked asÂ TreasureHunt.
Arbor Networks explained that the LockPoS is a totally different malware family from TREASUREHUNT.
âOne thing to note about the analyzed C2 server (treasurehunter[.]at) is that there is a name overlap with another PoS malware that FireEyeÂ wroteÂ about in 2016 called TREASUREHUNT. Based on their research on its C2 communications, panel, and other IoCs it looks like LockPoS and TREASUREHUNT are separate families.â