Firm detects Zeus variant targeting POS terminals

Share this article:
The Hesperbot trojan has been distributed via sophisticated phishing emails.
The malware is based on the leaked code of Zeus and RAM-scraping malware.

Researchers have discovered malware that is based on the leaked code of Zeus and random-access memory (RAM)-scraping malware targeting credit card data.

A new report (PDF) from security firm Websense detailed the campaign that used the hybrid malware.

According to the findings, published on Wednesday, researchers saw a spike in malicious command-and-control server traffic around late November.The 15-page report, called “Using Anomalies in Crash Reports to Detect Unknown Threats,” specifically highlighted how risk indicators can be gleaned by analyzing application crash activity, particularly crash reports generated by Windows Error Reporting.

Of note, Websense tracked the influx of POS application crashes in November, and found that a clothing retailer in the Eastern U.S. was infected with the Zeus variant.

On Friday, Alex Watson, director of security research at Websense, told SCMagazine.com via email correspondence, that the firm is also investigating whether retailers in Europe were impacted by the new malware.

He added that the Zeus variant would work to the favor of criminals targeting retailers, since “Zeus malware would be useful for exfiltrating stolen credit numbers from point-of-sale terminals to the attackers' infrastructure.”

Malware with RAM-scrapping capabilities would offer attackers another means of siphoning financial data from users, as was the case with malware dubbed, POSRAM, which struck Target's point-of-sale systems.

Watson later explained how examining crash reports revealed significant details about the attack campaign.

“It is possible that the cluster of point-of-sale application crashes that were caused by the malware in late November could have been seen due to a heavy volume of credit card transactions, causing instability in the malware which forced the point-of-sale program to crash repeatedly,” Watson wrote.

In a video interview with SC Magazine, Watson further spoke to the valuable threat information the firm pulled from crash reports in its research.

The Websense report called attention to the attack group's distinctive approach in using the Zeus variant.

“This is most definitely not a mass malware infection, but rather one that is targeting businesses specifically in the wholesale trade sector – very much different than a typical Zeus infection that is evenly distributed across industries such as financial, government and healthcare. This creates yet another risk indicator that we may be looking at a targeted campaign focused on POS applications,” the report said.

Share this article:

Sign up to our newsletters

More in News

Research shows vulnerabilities go unfixed longer in ASP

Research shows vulnerabilities go unfixed longer in ASP

A new report finds little difference in the number of vulnerabilities among programming languages, but remediation times vary widely.

Bill would restrict Calif. retailers from storing certain payment data

The bill would ban businesses from storing sensitive payment data, for any long than required, even if it is encrypted.

Amplification, reflection DDoS attacks increase 35 percent in Q1 2014

Amplification, reflection DDoS attacks increase 35 percent in ...

The Q1 2014 Global DDoS Attack Report reveals that amplification and reflection distributed denial-of-service attacks are on the rise.