Firm detects Zeus variant targeting POS terminals

Share this article:
The Hesperbot trojan has been distributed via sophisticated phishing emails.
The malware is based on the leaked code of Zeus and RAM-scraping malware.

Researchers have discovered malware that is based on the leaked code of Zeus and random-access memory (RAM)-scraping malware targeting credit card data.

A new report (PDF) from security firm Websense detailed the campaign that used the hybrid malware.

According to the findings, published on Wednesday, researchers saw a spike in malicious command-and-control server traffic around late November.The 15-page report, called “Using Anomalies in Crash Reports to Detect Unknown Threats,” specifically highlighted how risk indicators can be gleaned by analyzing application crash activity, particularly crash reports generated by Windows Error Reporting.

Of note, Websense tracked the influx of POS application crashes in November, and found that a clothing retailer in the Eastern U.S. was infected with the Zeus variant.

On Friday, Alex Watson, director of security research at Websense, told SCMagazine.com via email correspondence, that the firm is also investigating whether retailers in Europe were impacted by the new malware.

He added that the Zeus variant would work to the favor of criminals targeting retailers, since “Zeus malware would be useful for exfiltrating stolen credit numbers from point-of-sale terminals to the attackers' infrastructure.”

Malware with RAM-scrapping capabilities would offer attackers another means of siphoning financial data from users, as was the case with malware dubbed, POSRAM, which struck Target's point-of-sale systems.

Watson later explained how examining crash reports revealed significant details about the attack campaign.

“It is possible that the cluster of point-of-sale application crashes that were caused by the malware in late November could have been seen due to a heavy volume of credit card transactions, causing instability in the malware which forced the point-of-sale program to crash repeatedly,” Watson wrote.

In a video interview with SC Magazine, Watson further spoke to the valuable threat information the firm pulled from crash reports in its research.

The Websense report called attention to the attack group's distinctive approach in using the Zeus variant.

“This is most definitely not a mass malware infection, but rather one that is targeting businesses specifically in the wholesale trade sector – very much different than a typical Zeus infection that is evenly distributed across industries such as financial, government and healthcare. This creates yet another risk indicator that we may be looking at a targeted campaign focused on POS applications,” the report said.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Adobe exploit used to spread Dyre credential stealer

Adobe exploit used to spread Dyre credential stealer

Users running vulnerable Adobe software could be in danger of having credentials for Bitcoin websites stolen.

Staples is investigating a potential issue involving credit card data

Staples is investigating a potential issue involving credit ...

The company said it is investigating a potential issue involving credit card data and that customers are not responsible for fraudulent activity on cards if an issue is discovered.

Skills set a priority over legacy prejudices, experts say

Skills set a priority over legacy prejudices, experts ...

Cybersecurity expert Winn Schwartau and Robert Clark, a cyber law attorney at the Army Cyber Institute, discussed issues around hiring in the information security industry.