Infections have been observed in regions of the U.S., EU and Australia, with a ticket machine being targeted in Sardinia in August.
Infections have been observed in regions of the U.S., EU and Australia, with a ticket machine being targeted in Sardinia in August.

Electronic kiosks and ticketing systems are being targeted by a new type of point-of-sale (POS) threat known as “d4re|dev1|,” which acts as an advanced backdoor with remote administration and has RAM scraping and keylogging features, according to IntelCrawler.

The malware also targets standard PCs connected to POS terminals, or having embedded terminals, and can steal credentials from retail management systems and corporate software, as well as payment card data, Andrew Komarov, CEO of IntelCrawler, told SCMagazine.com in a Wednesday email correspondence.

Data can be intercepted from a variety of corporate and retail management services, including OSIPOS Retail Management System, Harmony WinPOS, and Figure Gemini POS, according to a Wednesday post.

Ticket vending machines and electronic kiosks in public places and mass transport systems are additionally at risk, with one compromised device being identified in Sardinia in August, the post indicates, explaining that these machines are typically not secured well and exfiltration of payment data can typically go on undetected.

“We have observed several botnets, having close to 80 compromised merchants, but can say that the number is growing,” Komarov said, adding regions in the U.S., EU and Australia have been affected. He said that d4re|dev1| is initially infecting systems “through remote administration channels, like [unsecured] VNC, RDP, Team Viewer, PCAnywhere.”

IntelCrawler believes that the malware authors are from Europe, since their first targets were only from EU countries, Komarov said, explaining that the attackers likely have good connections to fraudsters from the carding world.

“The bad actors also proposed [a] “B2B” scheme, [where] they provide this malware for rent, or receive compromised POS terminals for further installation of [their] own malware for some [percentage] from intercepted payment data, which is [a] pretty interesting underground economy model,” Komarov said.