The presence of debug information in the malware and lack of any identifiable command-and-control capabilities has led researchers to believe that TSPY_POSLOGR.K is in a beta testing phase.
The presence of debug information in the malware and lack of any identifiable command-and-control capabilities has led researchers to believe that TSPY_POSLOGR.K is in a beta testing phase.

Trend Micro has identified a new point-of-sale (POS) threat detected as TSPY_POSLOGR.K.

The presence of debug information in the malware, as well as the lack of any identifiable command-and-control capabilities, has led researchers to believe that TSPY_POSLOGR.K is in a beta testing phase, Christopher Budd, global threat communications manager with Trend Micro, told SCMagazine.com in a Monday email correspondence.

“As with all software it's hard to say when a 'beta' is finished and ready for 'production,'” Budd said. “In this case, at least, having the missing command-and-control components are key to it being a piece of production malware.”

Because it seems to be in a beta testing phase, researchers have not seen TSPY_POSLOGR.K being widely used, Budd said.

“[From] what we have seen [it] reads data from processes specified in the initialization file,” Budd said. “In this case it's credit card [and] point-of-sale information. But the component flexibility means it could easily be repurposed for additional data on the infected system.”

Budd referred to the malware sample as a modular and functional component that only takes a single action out of the several involved in a POS breach. He said that other components are needed to take other actions – such as retrieving data dumps – and explained that a complete attack is likely carried out by deploying those other components as part of a package.

The analyzed sample takes actions as commanded by the configuration file, which is not present in the system by default most likely as an obfuscation step, Budd said, adding this makes it harder to understand what actions the malware is taking on infected systems.

“This makes this component more flexible because instructions can be changed in the configuration file rather than rewriting the component itself,” Budd said. “This is consistent with professional software development practices and shows increasing sophistication and professionalism.”

Budd could not share any information on the malware's origin, but he said that analysis of this component will be beneficial in the future.

“This analysis enables us and others in the industry to build new signatures to detect this particular component,” Budd said. “The developments in new tactics also enable researchers to [better know] additional components and elements of an attack that they should be looking for in the future.”

Trend Micro released a blog post about TSPY_POSLOGR.K on Thursday, just a day after Nick Hoffman, lead reverse engineer at CBTS, posted about POS malware referred to as ‘getmypass.' Budd said he has not done a full comparison, but indicated that the two threats appear to be the same.