More POS malware, just in time for Christmas

Share this…

VXers stuff evidence-purging malware in retailer stockings.

Threat researchers are warning of two pieces of point of sales malware that have gone largely undetected during years of retail wrecking and now appear likely to earn VXers a haul over the coming festive break.

The Cherry Picker and AbaddonPOS malware, exposed in the last week, are the latest evolution in stealthy and capable point of sales credit and debit card plundering.

Cherry Picker has been targeting retail businesses since 2011 and now sports new anti-analysis tricks, persistence mechanisms, and better card ripping functionality.

Trustwave researcher Eric Merritt says the malware is expert at wiping evidence of itself after an attack has occurred, overwriting files multiple times and removing data exfiltration locations.

More POS malware, just in time for Christmas

The memory-scraping malware runs on Windows platforms including Windows 7 and the hard-to-kill XP, running remote administration services.

It targets retailers in the food industry running any POS software.

Proofpoint’s contribution to the bad news was its description of the Abaddon point of sales malware, which also sports anti-analysis, obfuscation, and wiping tricks.

The researchers found Abbadon on seven client networks that had been delivered after a Vawtrak infection.

“On October 8, Proofpoint researchers observed Vawtrak downloading TinyLoader … which then downloaded AbaddonPOS,” the researchers say.

“The practice of threat actors to increase their target surfaces by leveraging a single campaign to deliver multiple payloads is by now a well-established practice,” the researchers say.

“While using this technique to deliver point of sale malware is less common, the approach of the US holiday shopping season gives cybercriminals ample reason to maximise the return on their campaigns.”

PoS malware will be further challenged as the United States deploys EMV credit card technology, notably when crucial PIN features are used in place of antiquated signatures.

Source:https://www.theregister.co.uk/