21 Apr 2015
A new malware family targeting point-of-sale (PoS) systems, is infecting machines in order to scrape [payment card iinformation from memory. The malware, dubbed PoSeidon, was initially spotted by researchers from Cisco’s Security Solutions (CSS) team. PoSeidon, like most point-of-sale Trojans, scans the RAM of infected terminals for unencrypted strings that match credit card information. End-to-end encryption technology would protect payment card data from these sorts of attacks, but few PoS terminals have this capability right now. Cisco’s researchers say that PoSeidon is comprised of a keylogger, a loader and a memory scraper that also has keylogging functionality. As one would expect, the keylogger is designed to steal credentials for the LogMeIn remote access application. It deletes encrypted LogMeIn passwords and profiles stored in the system registry. When users enter this information again, the keylogger captures the information. It’s probably aimed at grabbing remote access credentials, which will then be used to enter the PoS and install PoSeidon. When the PoS terminal has been compromised, the loader is installed. This creates the registry keys necessary to keep the malware alive after system reboots. The loader also accesses a hard-coded list of command-and-control (C&C) servers to download another file called FindStr, which is used to find strings that match payment card numbers in the memory of running processes. PoSeidon used the Luhn formula to verify that the captured strings are credit card numbers. After authenticating, it uploads this data – and other information captured by the keylogger – to one of the command-and-control servers. This direct communication capacity differentiates PoSeidon from other PoS memory scrapers, which typically store captured data locally until the attackers log on and download it. “PoSeidon is another in the growing number of Point-of-Sale malware targeting PoS systems that demonstrate the sophisticated techniques and approaches of malware authors,” the CSS researchers said. “As long as PoS attacks continue to provide returns, attackers will continue to invest in innovation and development of new malware families.” With PoS malware in active circulation, retailers are right to worry about the security of their systems. Malware can do a very effective job of hiding within a compromised system. One of the best ways to discover whether or not an organization has suffered a breach of its defenses is to search for anomalies on the endpoints themselves in real time. The BAI Security Compromise Assessment helps organizations determine what malicious code exists within the enterprise through a short-term deployment of highly-specialized, yet non intrusive, forensic software on all endpoints.