ProofPoint says it has discovered new malware on point of sale (POS) terminals which had previously been infected with the Vawtrak banking trojan.
Researchers working at ProofPoint said there was enough evidence to suggest that both were written by the same criminals.
The malware was spotted as it was being downloaded in the process of a Vawtrak infection. This use of additional payloads to enhance attack capabilities offers another example of efforts by threat actors to expand their target surfaces through the delivery of multiple payloads in a single campaign, in this case by including potential PoS terminals.
Researchers discovered the malware in October and observed Vawtrak downloading TinyLoader, a downloader that uses a custom protocol for downloading executable payloads from its command and control server. TinyLoader was then used to download another downloader in the form of shellcode, which then downloaded AbaddonPoS.
It said that the malware could infect a terminal via the Angler exploit kit or via an infected Microsoft Office document.
Researchers said AbaddonPoS uses techniques such as basic anti-analysis and obfuscation that make it more difficult to track.
“For example, AbaddonPoS employs a CALL instruction to push a function parameter onto the stack rather than simply using, for instance, the more common PUSH instruction. A CALL instruction pushes the next address onto the stack, which is typically used as a return address following a RETN instruction,” said the researchers in a blog post.
The researchers added that most of AbaddonPoS's code is not obfuscated or packed, with the exception of the code used to encode and transmit stolen credit card data.
The malware then tries to locate credit card data by reading the memory of all processes except itself by first blacklisting its own PID using the GetCurrentProcessId API. Once that data is discovered, it sends this data back to a command and control server using a custom binary protocol instead of HTTP.
Communication and exfiltration of credit card data is carried out by the decoded shellcode downloaded by TinyLoader.
The firm said that the practice of threat actors increasing their target surfaces by leveraging a single campaign to deliver multiple payloads is by now a well-established practice.
Patrick Wheeler, director of threat intelligence for Proofpoint, said the appearance of new PoS malware on the eve of the holiday shopping season highlights that despite the adoption of EMV cards, credit card swipes remain a valuable target for cyber-criminals.
“AbaddonPoS takes advantage of organisations that use the same computer to process PoS transactions and check emails. It resists analysis and encodes stolen credit card data for easy transfer,” he said. “Organisations need to silo their PoS terminals and use advanced cyber-security technology that stops the latest malware from getting in—and prevents sensitive credit card data from unauthorised removal.”