An updated version of FastPOS features modular architecture and also relies on mailslots to briefly store data in memory with no trace.
An updated version of FastPOS features modular architecture and also relies on mailslots to briefly store data in memory with no trace.

When the point-of-sale malware FastPOS was discovered earlier this year, researchers noted how the retail data-stealer sacrificed stealth for speed. But as the holiday shopping season approaches, the malware's newest iteration appears to have improved its evasion efforts by using modular architecture.

Trend Micro detailed the upgraded program, dubbed FastPOS.A, in a blog post yesterday, citing malware samples collected in September, after the security company noticed “an unusual network connection in one of the endpoints of a company based in North America.” Much like the malware itself, which expedites the transmission of stolen POS data, its developers acted with a sense of urgency, launching their latest campaign only about a month after the developer registered a new command-and-control domain. 

Since its emergence in the wild, FastPOS has stood out from many of its counterparts in that it is designed to immediately export stolen card data to the attackers, rather than periodically sending it out in batch intervals. Also, instead of storing pilfered data in a local file, the malware fleetingly stores data in temporary memory, leaving no physical trace of activity. FastPOS uses both a RAM scraper tool to capture credit card data, and keylogger spyware to capture personally identifiable information as well as payment information. 

In the new and improved version, the developer has altered the malware's architecture so that each of its key components – the RAM scraper (one for 32-bit systems, one for 64-bit systems), the keylogger (again, one each for 32-bit and 64-bit systems) and an executable that manages in-memory storage and C&C communication – are entirely separate modules.

Now, infected companies that manage to detect one of these components may not necessarily realize that additional modules continue to collect information from their networks. "If you find the RAM scraper service and you kill it, you may not realize that the keylogger is still running and stealing the credentials," said Jon Clay, director of global threat communications at Trend Micro, in an interview with SCMagazine.com.

The keylogger component is especially difficult to sniff out, Trend Micro reports, because the developer took steps to inject its code into the process memory of explorer.exe – the Windows Explorer file managing application.

FastPOS.A also employs a more innovative way of storing data in memory, by placing stolen information in mailslots – Windows-based mechanisms that enable one-way, short-message communications between local and network processes. Mailslots are temporary files that reside within a machine's memory before they are ultimately deleted – an ideal tool for bad actors looking to surreptitiously and briefly store data without leaving evidence.

According to Trend Micro, the use of mailslots was likely a necessary change after the malware author switched to a modular architecture in which multiple processes are simultaneously and separately running. “By going modular, [the malware] needed a central repository where all components can write logged data without using a physical file,” the blog post explained.

While mailslots are low in memory and cannot store copious amounts of data, “the beauty of this is that [FastPOS is] taking that data and very quickly updating it to the C&C server, so it's not staying in memory for very long,” said Clay.

In its blog post, Trend Micro theorizes that FastPOS' developer added these modifications with an eye on the holiday shopping season, to enhance the success of its upcoming campaigns. The company confirmed that the malware campaign is targeting small and medium-sized business in particular.