Incident Response, Malware, TDR

Researchers identify POS malware targeting ticket machines, electronic kiosks


Electronic kiosks and ticketing systems are being targeted by a new type of point-of-sale (POS) threat known as “d4re|dev1|,” which acts as an advanced backdoor with remote administration and has RAM scraping and keylogging features, according to IntelCrawler.

The malware also targets standard PCs connected to POS terminals, or having embedded terminals, and can steal credentials from retail management systems and corporate software, as well as payment card data, Andrew Komarov, CEO of IntelCrawler, told in a Wednesday email correspondence.

Data can be intercepted from a variety of corporate and retail management services, including OSIPOS Retail Management System, Harmony WinPOS, and Figure Gemini POS, according to a Wednesday post.

Ticket vending machines and electronic kiosks in public places and mass transport systems are additionally at risk, with one compromised device being identified in Sardinia in August, the post indicates, explaining that these machines are typically not secured well and exfiltration of payment data can typically go on undetected.

“We have observed several botnets, having close to 80 compromised merchants, but can say that the number is growing,” Komarov said, adding regions in the U.S., EU and Australia have been affected. He said that d4re|dev1| is initially infecting systems “through remote administration channels, like [unsecured] VNC, RDP, Team Viewer, PCAnywhere.”

IntelCrawler believes that the malware authors are from Europe, since their first targets were only from EU countries, Komarov said, explaining that the attackers likely have good connections to fraudsters from the carding world.

“The bad actors also proposed [a] “B2B” scheme, [where] they provide this malware for rent, or receive compromised POS terminals for further installation of [their] own malware for some [percentage] from intercepted payment data, which is [a] pretty interesting underground economy model,” Komarov said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.