Breach, Compliance Management, Data Security, Incident Response, Malware, Privacy, TDR

FastPOS malware goes modular, adds stealth to speed

When the point-of-sale malware FastPOS was discovered earlier this year, researchers noted how the retail data-stealer sacrificed stealth for speed. But as the holiday shopping season approaches, the malware's newest iteration appears to have improved its evasion efforts by using modular architecture.

Trend Micro detailed the upgraded program, dubbed FastPOS.A, in a blog post yesterday, citing malware samples collected in September, after the security company noticed “an unusual network connection in one of the endpoints of a company based in North America.” Much like the malware itself, which expedites the transmission of stolen POS data, its developers acted with a sense of urgency, launching their latest campaign only about a month after the developer registered a new command-and-control domain. 

Since its emergence in the wild, FastPOS has stood out from many of its counterparts in that it is designed to immediately export stolen card data to the attackers, rather than periodically sending it out in batch intervals. Also, instead of storing pilfered data in a local file, the malware fleetingly stores data in temporary memory, leaving no physical trace of activity. FastPOS uses both a RAM scraper tool to capture credit card data, and keylogger spyware to capture personally identifiable information as well as payment information. 

In the new and improved version, the developer has altered the malware's architecture so that each of its key components – the RAM scraper (one for 32-bit systems, one for 64-bit systems), the keylogger (again, one each for 32-bit and 64-bit systems) and an executable that manages in-memory storage and C&C communication – are entirely separate modules.

Now, infected companies that manage to detect one of these components may not necessarily realize that additional modules continue to collect information from their networks. "If you find the RAM scraper service and you kill it, you may not realize that the keylogger is still running and stealing the credentials," said Jon Clay, director of global threat communications at Trend Micro, in an interview with SCMagazine.com.

The keylogger component is especially difficult to sniff out, Trend Micro reports, because the developer took steps to inject its code into the process memory of explorer.exe – the Windows Explorer file managing application.

FastPOS.A also employs a more innovative way of storing data in memory, by placing stolen information in mailslots – Windows-based mechanisms that enable one-way, short-message communications between local and network processes. Mailslots are temporary files that reside within a machine's memory before they are ultimately deleted – an ideal tool for bad actors looking to surreptitiously and briefly store data without leaving evidence.

According to Trend Micro, the use of mailslots was likely a necessary change after the malware author switched to a modular architecture in which multiple processes are simultaneously and separately running. “By going modular, [the malware] needed a central repository where all components can write logged data without using a physical file,” the blog post explained.

While mailslots are low in memory and cannot store copious amounts of data, “the beauty of this is that [FastPOS is] taking that data and very quickly updating it to the C&C server, so it's not staying in memory for very long,” said Clay.

In its blog post, Trend Micro theorizes that FastPOS' developer added these modifications with an eye on the holiday shopping season, to enhance the success of its upcoming campaigns. The company confirmed that the malware campaign is targeting small and medium-sized business in particular.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.