Firm detects Zeus variant targeting POS terminals

Share this article:
The Hesperbot trojan has been distributed via sophisticated phishing emails.
The malware is based on the leaked code of Zeus and RAM-scraping malware.

Researchers have discovered malware that is based on the leaked code of Zeus and random-access memory (RAM)-scraping malware targeting credit card data.

A new report (PDF) from security firm Websense detailed the campaign that used the hybrid malware.

According to the findings, published on Wednesday, researchers saw a spike in malicious command-and-control server traffic around late November.The 15-page report, called “Using Anomalies in Crash Reports to Detect Unknown Threats,” specifically highlighted how risk indicators can be gleaned by analyzing application crash activity, particularly crash reports generated by Windows Error Reporting.

Of note, Websense tracked the influx of POS application crashes in November, and found that a clothing retailer in the Eastern U.S. was infected with the Zeus variant.

On Friday, Alex Watson, director of security research at Websense, told via email correspondence, that the firm is also investigating whether retailers in Europe were impacted by the new malware.

He added that the Zeus variant would work to the favor of criminals targeting retailers, since “Zeus malware would be useful for exfiltrating stolen credit numbers from point-of-sale terminals to the attackers' infrastructure.”

Malware with RAM-scrapping capabilities would offer attackers another means of siphoning financial data from users, as was the case with malware dubbed, POSRAM, which struck Target's point-of-sale systems.

Watson later explained how examining crash reports revealed significant details about the attack campaign.

“It is possible that the cluster of point-of-sale application crashes that were caused by the malware in late November could have been seen due to a heavy volume of credit card transactions, causing instability in the malware which forced the point-of-sale program to crash repeatedly,” Watson wrote.

In a video interview with SC Magazine, Watson further spoke to the valuable threat information the firm pulled from crash reports in its research.

The Websense report called attention to the attack group's distinctive approach in using the Zeus variant.

“This is most definitely not a mass malware infection, but rather one that is targeting businesses specifically in the wholesale trade sector – very much different than a typical Zeus infection that is evenly distributed across industries such as financial, government and healthcare. This creates yet another risk indicator that we may be looking at a targeted campaign focused on POS applications,” the report said.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.