[BreachExchange] Fresh POS Malware Strikes Small and Midsize Companies

Destry Winant destry at riskbasedsecurity.com
Fri Mar 15 08:51:54 EDT 2019


A closely held type of point-of-sale malware appears be spreading
further, and it uses a resiliency trick borrowed from botnet
operators, according to new research from Flashpoint, a threat
intelligence firm

Flashpoint's announced its finding Wednesday, the same day as Cisco's
Talos intelligence unit described another new type of point-of-sale
system malware, GlitchPOS, which disguises itself as a game involving

Flashpoint says that malware, called DMSniff, is hitting small and
midsize businesses in the restaurant and entertainment industries.
Those industries process physical payment cards for transactions,
which makes their associated point-of-sale systems targets for
memory-scraping malware, also known as RAM scrapers.

Point-of-sale malware has struck big companies such as Target, Home
Depot and many others over the last few years. Those attacks have
raised awareness around vulnerabilities in payment systems.

Companies have sought to improve defenses and are required by the card
companies to follow the Payment Card Industry's Data Security
Standard, or PCI-DSS. But the risks are ever-present and attacks are

"Point-of-sale malware continues to plague industries such as food
services and hospitality where older and unsupported systems remain
prevalent," write Jason Reaves and Joshua Platt, both principal threat
researchers with Flashpoint. "In these environments where card-present
transactions are king, criminals have been relentless in targeting
these vulnerable devices."

The emergence of more sophisticated card-scraping malware doesn't bode
well for retail companies, which can face steep costs for remediating
large breaches. Those costs include forensic investigations, customer
outreach, regulatory inquiries and possibly fines from card companies.
And despite a surfeit of stolen card details on the black market,
efforts to steal more continue (see: Big Dump of Pakistani Bank Card
Data Appears on Carder Site).

Botnet Trick Borrowed

Although DMSniff is newly discovered, it likely has been around since
2016, Reaves and Platt write. They suspect, with low confidence, that
attackers may be brute-forcing SSH credentials on devices or scanning
for other vulnerabilities, leading to an infection.

The malware uses several tricks to maintain persistence and keep a low
profile. DMSniff is encoded with a domain generation algorithm, or
DGA, which generates an endless pattern of domains. If the malware's
creator activates one of those domains, it can be used as a
command-and-control server.

That's a technique borrowed from botnet herders. Using DGAs helps
maintain a botnet's resiliency. If hosting companies or law
enforcement shut down a known C&C node, the malware can call out to a
different one. The C&C servers can be frequently rotated, making it
difficult to cut off communication to the botnet.

Flashpoint notes that that use of a DGA in POS malware is rare.

"The DGA is based on a number of hard-coded values; in the samples
researchers have found, the first two characters of the generated
domains are hard-coded in the bot," they write. "Researchers have
found 11 variants of this DGA so far, all structured in the same
algorithm, but with variable first two letters and hard-coded multiply
values in the algorithm.

To help mask its communications with the C&C server, DMSniff uses
encrypted strings. "This shields the malware's capabilities from
detection, making it difficult for researchers to learn its
capabilities," Flashpoint writes.

DMSniff gingerly probes after it infects a POS system. It is coded
with a list of process names to avoid and only begins further
investigations of ones that may hold promising card data, according to

"Each time it finds an interesting process, it will loop through the
memory sections to attempt to find a credit card number," Reaves and
Platt write. "Once a number is found, the bot takes the card data and
some of the surrounding memory, packages it and sends it to the C2."

Another Entrant: GlitchPOS

Also on Wednesday, Talos described the GlitchPOS malware, a new RAM scraper.

GlitchPOS was first described in a post on a malware forum last month.
It appeared to be for sale by a user - "edbitss" - who is linked to
the DiamondFox L!NK botnet, and Talos notes some similarities in
control panels.

"We can see that edbitss developed malware years even after being
publicly mentioned by cybersecurity companies," Talos writes. "He left
DiamondFox to switch on a new project targeting point-of-sale. The
sale opened a few weeks ago, so we don't know yet how many people
bought it or use it."

A built version of GlitchPOS costs $250; the malware builder costs
$600 and a gate address change is $80, Talos writes.

"This investigation shows us that POS malware is still attractive and
some people are still working on the development of this family of
malware," Talos writes.

More information about the BreachExchange mailing list