Incident Response, Malware, TDR, Vulnerability Management

‘Nemanja’ POS malware compromises 1,500 devices, half a million payment cards, worldwide

As many as half a million payment cards used in hotels, grocery stores and other business around the world – including in the U.S. – have been compromised by ‘Nemanja,' a recently discovered piece of malware that has infected nearly 1,500 point-of-sale (POS) devices.

The massive, worldwide Nemanja botnet – discovered in March by cyber intelligence company IntelCrawler – includes more than 1,478 hosts in more than 35 countries across the world, including the U.S., UK, Canada, Australia, China, Japan, Israel and Italy, as well as other developing countries.

The botnet is the work of a single group of cyber crooks believed to be located in Serbia, Andrew Komarov, CEO of IntelCrawler, told SCMagazine.com in a Thursday email correspondence, adding that the U.S. – namely New York, California, Washington and Colorado – has been a high priority target.

“It is one of those cases where a group of hackers developed [their] own malware for targeted attacks, with a very clear commercialization scheme,” Komarov said, adding that Nemanja does not appear to be up for sale. “They intercept credit cards from [infected POS devices] and then resell [the data] on black market through their own shops and partners.”

If all intercepted data was sold on underground markets at the going rates, millions of dollars could have been made in the fairly elaborate scheme, which involves creating fraudulent payment cards and laundering money through registered POS and mobile POS devices, Komarov said.

Infecting the targeted POS devices was no simple task.

“In some cases, [the attackers] used a technical way of penetration into the network perimeter, through remote administration channels, in order to install [the] malware, but it was also found that they might have [asked] insiders, or mules, to install this malware during their employment period,” Komarov said.

Nemanja stands out from other RAM-scraping POS malware – such as Alina, BlackPOS, Dexter, JackPOS and VSkimmer – by offering keylogging, grocery management and accounting software detection options, and self-deletion options, Komarov said.

Additionally, the attackers did not limit Nemanja usage to just POS devices. Komarov said that the gang of cyber criminals eventually went on to target other people in the financial industry, including accountants.

“Using the keylogging module, they [waited] for technical people and supervisors to gain access to [back offices], which helped them to penetrate corporate networks very deep and organize serious breaches,” Komarov said, adding Nemanja was detected about six months after the first successful infection.

The IntelCrawler findings – coupled with recent POS attacks against retailers, including Target and Michaels – is fairly telling of the direction cyber crime is taking. Additionally, recent data breach reports by Trustwave and Verizon indicate POS attacks are on the rise.

“According to our information, Nemanja can be named as really one of the biggest, in fact, possibly the biggest, botnet based on POS terminals and various infected PCs located in stores and [elsewhere],” Komarov said, adding IntelCrawler continues to alert impacted entities of the threat.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.