Incident Response, Malware, TDR

Small businesses running cloud-based POS software hit with unique ‘POSCLOUD’ malware

Unique malware targeting cloud-based point-of-sale (POS) software has been discovered by researchers with cyber intelligence company IntelCrawler.

The malware is referred to as POSCLOUD.Backdoor/Agent, or simply POSCLOUD, and it targets cloud-based POS software typically used by smaller businesses – such as grocery stores and retailers – operating Internet Explorer, Safari and Google Chrome, according to a Wednesday post.

POSCLOUD malware uses keylogging and stealth screenshot grabbing to monitor customer flow and steal personal data, unlike other standard POS malware, such as Dexter and Alina, which uses RAM-scraping to compromise information, Andrew Komarov, CEO of IntelCrawler, told SCMagazine.com in a Wednesday email correspondence.

“We identified it right after a pretty big botnet takedown and think that it was developed specially by cyber criminals in private [circles] to attack cloud-based environments, and hunt for IDs and customer data, including credit cards,” Komarov said, adding the information is then sold on underground marketplaces to identity thieves.

Several specifically targeted attacks using the malware have been observed so far against businesses in the U.S. and the EU, Komarov said, adding that, due to an ongoing investigation, IntelCrawler can only speculate that an EU-based group of cyber criminals is responsible for the threat. 

“[The attackers carry out] targeted attacks against tellers and [other individuals] that work with these kinds of systems, and infect [the systems] with client-side exploit kits and malware, [such as] POSCLOUD, which is pretty similar to banking trojans,” Komarov said, explaining attackers make use of spear phishing emails spoofed from cloud-based POS services providers.

Additionally, a look at an identified command-and-control server revealed that the attackers use code that not only enables the downloading and unpacking of modules used to intercept forms and credentials, but also checks for a network connection with specific cloud-based POS providers, according to the post.

A fairly wide range of cloud-based POS systems were compromised, Komarov said.

“It shows that the niche of cloud-based technologies for retailers supporting integration with POS equipment is pretty insecure, especially for small businesses, which prefer to use [less expensive] systems in order to reduce costs,” Komarov said, adding he expects to see an increase in the number of these types of attacks.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.