Security researchers have discovered two point-of-sale (POS) malware families: “PwnPOS,” which showcases attackers’ “simple but thoughtful construction” for skirting detection, and the “LogPOS” family that uses Microsoft Windows’ mailslots to deliver stolen credit card data to attackers.
The latter threat, LogPOS, was uncovered by Cincinatti-based security firm Morphick last week.
In a blog post, Morphick researcher Nick Hoffman explained that using Windows mailslots “isn’t a new mechanism for malware,” as it has been previously leveraged in APT attacks, but one that has apparently been added to POS malware authors’ arsenals. According to Microsoft, a mailslot is a mechanism for one-way interprocess communications (IPC), where applications can store messages and mailslot owners can retrieve them. In this case, the authors of LogPOS took advantage of the mechanism to store, and later collect, credit card data, Hoffman wrote.
“Because LogPOS injects code into various processes and has each of them search their own memory, it can’t use a log, since they can’t all open the same file with write access at once,” Hoffman wrote. “Instead, it uses mailslots.”
“In this case, the main executable creates the mailslot and acts as the mailslot server, while the code injected into the various processes acts as a client, writing carved credit card numbers to the mailslot for direct transmission to the C2 [server],” he explained later.
In its blog post, the firm published a YARA rule so enterprises can detect LogPOS variants.
Hoffman noted that the malware family’s mailslot capability helps it skirt traditional methods for identifying POS threats, like scanning files for unencrypted credit card information, since the malware instead writes the data to a mailslot. He added that, as the discovery of new POS malware families continues, he doesn’t expect the trend to slow down despite the community’s efforts to thwart such threats.
Last week, Trend Micro threat analyst Jay Yaneza unveiled information on another new POS malware family, dubbed “PwnPOS.” Potentially active since 2013, Yaneza said that the malware was able to “fly under the radar all these years due to its simple but thoughtful construction.”
In a blog post, he explained that malware’s two main components consisted of a RAM scraper binary that “remains constant,” and a data exfiltration module that uses two different binaries: one packed using MPRESS, which appeared to be coded via the cross-platform PureBasic programming language, and another, an AutoIt-compiled executable that is packed by UPX, Yaneza wrote.
In Friday email correspondence with SCMagazine.com, Yaneza said that PwnPOS’ data exfiltration component, alone, used two different email addresses, though he couldn’t personally confirm if both were linked to the same person.
Regarding the RAM scraping malware component, he wrote that the “significant strings within the binaries uses the locale Russian_Russia.1251, and this is usually read language[_country][.charset]. But we should also note that, in general, this is using Windows-1251 8-bit character encoding that is designed to cover languages that use the Cyrillic script,” he explained. “In the transfer of digital content, the character encoding is used to ensure that the characters are represented correctly. We cannot say if the same is true about the authors, rather it’s what the files are expected to output,” he said of attribution.
On its blog, Trend Micro published a YARA rule for PwnPOS detection along with indicators of compromise (IOCs) for the threat.