Firm detects Zeus variant targeting POS terminals

Share this article:
The Hesperbot trojan has been distributed via sophisticated phishing emails.
The malware is based on the leaked code of Zeus and RAM-scraping malware.

Researchers have discovered malware that is based on the leaked code of Zeus and random-access memory (RAM)-scraping malware targeting credit card data.

A new report (PDF) from security firm Websense detailed the campaign that used the hybrid malware.

According to the findings, published on Wednesday, researchers saw a spike in malicious command-and-control server traffic around late November.The 15-page report, called “Using Anomalies in Crash Reports to Detect Unknown Threats,” specifically highlighted how risk indicators can be gleaned by analyzing application crash activity, particularly crash reports generated by Windows Error Reporting.

Of note, Websense tracked the influx of POS application crashes in November, and found that a clothing retailer in the Eastern U.S. was infected with the Zeus variant.

On Friday, Alex Watson, director of security research at Websense, told SCMagazine.com via email correspondence, that the firm is also investigating whether retailers in Europe were impacted by the new malware.

He added that the Zeus variant would work to the favor of criminals targeting retailers, since “Zeus malware would be useful for exfiltrating stolen credit numbers from point-of-sale terminals to the attackers' infrastructure.”

Malware with RAM-scrapping capabilities would offer attackers another means of siphoning financial data from users, as was the case with malware dubbed, POSRAM, which struck Target's point-of-sale systems.

Watson later explained how examining crash reports revealed significant details about the attack campaign.

“It is possible that the cluster of point-of-sale application crashes that were caused by the malware in late November could have been seen due to a heavy volume of credit card transactions, causing instability in the malware which forced the point-of-sale program to crash repeatedly,” Watson wrote.

In a video interview with SC Magazine, Watson further spoke to the valuable threat information the firm pulled from crash reports in its research.

The Websense report called attention to the attack group's distinctive approach in using the Zeus variant.

“This is most definitely not a mass malware infection, but rather one that is targeting businesses specifically in the wholesale trade sector – very much different than a typical Zeus infection that is evenly distributed across industries such as financial, government and healthcare. This creates yet another risk indicator that we may be looking at a targeted campaign focused on POS applications,” the report said.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

ISSA tackles workforce gap with career lifecycle program

ISSA tackles workforce gap with career lifecycle program ...

On Thursday, the group launched its Cybersecurity Career Lifecycle (CSCL) program.

Amplification DDoS attacks most popular, according to Symantec

Amplification DDoS attacks most popular, according to Symantec

The company noted in a whitepaper released on Tuesday that Domain Name Server amplification attacks have increased 183 percent between January and August.

Court shutters NY co. selling security software with "no value"

A federal court shut down Pairsys at the request of the Federal Trade Commission.