The world of computer viruses and antivirus solutions is in a constant change, with cyber-crooks evolving their code and cyber-security firms trying to keep up but always being two steps behind.
In recent years, malware targeting PoS (Point of Sale) stations has been constantly evolving, with new versions coming out almost each month, with businesses and antivirus companies turning their attention more and more to this market sector, as they realize the dangers to which users and their finances are being constantly exposed on a daily basis.
With most of the world’s financial transactions being handled digitally, credit or debit cards are the primary way of payment in all developed countries.
Because of lackluster security measures, hackers have always had an easy meal ticket when wanting to exfiltrate data from PoS devices, mainly due to poor or nonexistent security measures.
Trojan.MWZLesson, a new piece of malware targeting Point of Sale devices
Dr.Web, a Russian antivirus company, has been closely following the world of PoS malware, and recently, it has discovered Trojan.MWZLesson one of the most advanced malware strands that have ever targeted PoS devices.
While previous PoS malware was preoccupied with snooping around in the PoS’ software and hardware, recent families are expanding their searches to any computer the PoS device may be attached to.
Trojan.MWZLesson, as Dr.Web puts it, besides checking the PoS RAM for any bank card data and sending it to a C&C server somewhere online, can also intercept GET and POST requests from the victim’s PC browsers (Firefox, Google Chrome and Internet Explorer).
These requests are also sent to the C&C server, where attackers can break them down, extracting any type of sensitive information left unprotected.
Trojan.MWZLesson can execute commands on PCs attached to infected PoS devices
What’s even scarier is that Trojan.MWZLesson also comes with a module that allows it to execute special commands on the infected PCs, which, besides basic UPDATE, FIND, and CMD commands, also supports LOADER and DDOS.
While DDOS is self-explanatory and allows attackers to trigger DDOS attacks as part of a botnet, LOADER is a command that enables hackers to download and run other files on the machine, very useful if they want to use the PoS malware as an entry point for infecting victims with more dangerous and complex malware strands.
This level of complexity Trojan.MWZLesson has managed to achieve is attributed by Dr.Web to the way it was constructed, using different pieces of code from other malware like Trojan.PWS.Dexter, which is also PoS malware, and BackDoor.Neutrino.50, a multi-component backdoor that exploits the CVE-2012-0158 vulnerability found in Windows machines.
If there was a place to install antivirus solutions, computers interacting with a user’s financial details is definitely it.