ProofPoint says it has discovered new malware on point of sale (POS) terminals which had previously been infected with the Vawtrak banking trojan.
Researchers working at ProofPoint said there was enough evidence to suggest that both were written by the same criminals.
The malware was spotted as it was being downloaded in the process of a Vawtrak infection. This use of additional payloads to enhance attack capabilities offers another example of efforts by threat actors to expand their target surfaces through the delivery of multiple payloads in a single campaign, in this case by including potential PoS terminals.
Researchers discovered the malware in October and observed Vawtrak downloading TinyLoader, a downloader that uses a custom protocol for downloading executable payloads from its command and control server. TinyLoader was then used to download another downloader in the form of shellcode, which then downloaded AbaddonPoS.
It said that the malware could infect a terminal via the Angler exploit kit or via an infected Microsoft Office document.
Researchers said AbaddonPoS uses techniques such as basic anti-analysis and obfuscation that make it more difficult to track.
“For example, AbaddonPoS employs a CALL instruction to push a function parameter onto the stack rather than simply using, for instance, the more common PUSH instruction. A CALL instruction pushes the next address onto the stack, which is typically used as a return address following a RETN instruction,” said the researchers in a blog post.
The researchers added that most of AbaddonPoS's code is not obfuscated or packed, with the exception of the code used to encode and transmit stolen credit card data.
The malware then tries to locate credit card data by reading the memory of all processes except itself by first blacklisting its own PID using the GetCurrentProcessId API. Once that data is discovered, it sends this data back to a command and control server using a custom binary protocol instead of HTTP.
Communication and exfiltration of credit card data is carried out by the decoded shellcode downloaded by TinyLoader.
The firm said that the practice of threat actors increasing their target surfaces by leveraging a single campaign to deliver multiple payloads is by now a well-established practice.
Patrick Wheeler, director of threat intelligence for Proofpoint, said the appearance of new PoS malware on the eve of the holiday shopping season highlights that despite the adoption of EMV cards, credit card swipes remain a valuable target for cyber-criminals.
“AbaddonPoS takes advantage of organisations that use the same computer to process PoS transactions and check emails. It resists analysis and encodes stolen credit card data for easy transfer,” he said. “Organisations need to silo their PoS terminals and use advanced cyber-security technology that stops the latest malware from getting in—and prevents sensitive credit card data from unauthorised removal.”
Kevin Burns, head of solution architecture at Vodat International, told SCMagazineUK.com that the research highlighted what might be be the 'last hurrah' of card holder data theft en masse in the US, before EMV hits mainstream and limits the ability of the perpetrators to get hold of this sensitive and valuable data.
“PoS environments may appear tough to secure and maintain, perhaps not least due to the size of estates in bigger retailers, and certainly many will have struggled to fund large hardware replacements which will be required due to the end of life of Windows XP, but it is likely that a lack of training would lead to the initial infection in this instance, with users probably opening emails with attachments that would then trigger the malware installation process,” he said.
“Looking at the relative complexity of the Abaddon 'solution', I suspect that it could be installed on a large number of retailers/merchants without them realising and it is likely to have some self-propagation capabilities too, ensuring that it can target as many devices as possible,” added Burns.
He said that poor network segmentation and poor firewall rule management and enforcement is leaving PoS systems vulnerable, and the introduction of EMV (chip cards) using separate card readers, rather than the PoS magnetic stripe reader (MSR), will reduce risks and should reduce access to card holder data significantly going forward.
It's likely that hackers will be racing to capture as much non-EMV card data as possible as quickly as possible. Burns added that the risk for UK retailers relates to those that have an integrated card payment solution which uses the PoS as the host to the payment application. The Abaddon malware is looking to scrape possible card data from the memory of the PoS, and if the payment application is on the PoS then it is using that same memory.
“This may include solutions which encrypt card data, if the encryption occurs on the PoS,” he said.
Philip Lieberman, CEO of Lieberman Software, told SC that as PoS systems run operating systems like Microsoft Windows and Linux, they are subject to the full gamut of attacks we see on desktops and servers. “However, because there is direct financial benefit for attacking PoS systems, substantial investments are made to compromise this area. All of the PoS malware is bad news,” he said.
To better protect themselves, organisations should ensure that PoS networks are air-gapped from regular user networks. “Internet connectivity to PoS networks should be disconnected or severely limited such as with point-to-point VPNs and limited connectivity outside its range of acceptable systems,” he added.
