Firm detects Zeus variant targeting POS terminals

Researchers have discovered malware that is based on the leaked code of Zeus and random-access memory (RAM)-scraping malware targeting credit card data.

A new report (PDF) from security firm Websense detailed the campaign that used the hybrid malware.

According to the findings, published on Wednesday, researchers saw a spike in malicious command-and-control server traffic around late November.The 15-page report, called “Using Anomalies in Crash Reports to Detect Unknown Threats,” specifically highlighted how risk indicators can be gleaned by analyzing application crash activity, particularly crash reports generated by Windows Error Reporting.

Of note, Websense tracked the influx of POS application crashes in November, and found that a clothing retailer in the Eastern U.S. was infected with the Zeus variant.

On Friday, Alex Watson, director of security research at Websense, told via email correspondence, that the firm is also investigating whether retailers in Europe were impacted by the new malware.

He added that the Zeus variant would work to the favor of criminals targeting retailers, since “Zeus malware would be useful for exfiltrating stolen credit numbers from point-of-sale terminals to the attackers' infrastructure.”

Malware with RAM-scrapping capabilities would offer attackers another means of siphoning financial data from users, as was the case with malware dubbed, POSRAM, which struck Target's point-of-sale systems.

Watson later explained how examining crash reports revealed significant details about the attack campaign.

“It is possible that the cluster of point-of-sale application crashes that were caused by the malware in late November could have been seen due to a heavy volume of credit card transactions, causing instability in the malware which forced the point-of-sale program to crash repeatedly,” Watson wrote.

In a video interview with SC Magazine, Watson further spoke to the valuable threat information the firm pulled from crash reports in its research.

The Websense report called attention to the attack group's distinctive approach in using the Zeus variant.

“This is most definitely not a mass malware infection, but rather one that is targeting businesses specifically in the wholesale trade sector – very much different than a typical Zeus infection that is evenly distributed across industries such as financial, government and healthcare. This creates yet another risk indicator that we may be looking at a targeted campaign focused on POS applications,” the report said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.