U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Malware

Trustwave analyzed of point-of-sale malware

Experts at Trustwave analyzed point-of-sale malware providing data related principal code used, exfiltration and persistence techniques implemented. Trustwave firm as published an interesting report on the point-of-sale malware based on its investigation on different breaches involving payment card data. The experts at Trustwave have examined a large amount of malware that targets point-of-sale devices, this family of malicious code is […]

Trustwave analyzed of point-of-sale malware

Experts at Trustwave analyzed point-of-sale malware providing data related principal code used, exfiltration and persistence techniques implemented.

Trustwave firm as published an interesting report on the point-of-sale malware based on its investigation on different breaches involving payment card data. The experts at Trustwave have examined a large amount of malware that targets point-of-sale devices, this family of malicious code is specifically designed to steal the sensitive information stored in the magnetic stripe of a payment card. Point-of-sale malware are able to steal data from directly from PC memory or from the disk of the infected machine. According to Trustwave 2013 was characterized by the evolution of POS malware, a growth never seen before. The experts notices in particular new developments in data exfiltration techniques,also the command and control (C&C) functionality were substantially improved, for example with the used of Tor networks.

“We also saw evidence of more authors automating the installation and control of their malware in 2013. While Trustwave discovered a number of new POS malware families exhibiting botnet-like tendencies, a number of well-known, older families also made an appearance.” states the post published by Trustwave.

 

point-of-sale

 

The Alina malicious code was the malware family most prevalent (19,1) within the cases investigated by Trustwave, followed by Baggage (16,5%) and Triforce (11,2%). Other point-of-sale malware families used by the criminals gangs worldwide were Blackpos, Dexter and ChewBacca.

The report also provides further information on the principal POS malware, Dexter was considered singular for its memory dumping functionality, because it performs process-injection, logs keystrokes and includes a C&C structure. Another significant point-of-sale malware family is Chewbacca, which implemented an exfiltration mechanism over the Tor network which host C&C servers.

“Debuting in late 2012, Alina surprised many, because it was one of a small number of POS malware families that included a C&C structure, encrypted the data it exfiltrated, blacklisted common Windows processes and installed itself to a randomly chosen name.”

As reported in the report, in many cases, cyber criminals used commercial keyloggers to infect the POS systems,  a common characteristic of all the POS malware families is the lack of encryption for exfiltrated data. The “exclusive OR” (XOR) operation is the encryption technique most used by the malware authors (32%) followed by Blowfish (3,7%).

Analyzing the exfiltration methods used by point-of-sale malware, the experts discovered that in the majority of cases (41%) the attackers don’t adopt a C&C infrastructure, but they leave the stolen data on disk to be extracted manually later. HTTP is the the second exfiltration technique (29%) followed by SMTP (22%).

The report ends with a look to the POS malware persistence mechanisms, that like the exfiltration techniques,  did not change significantly from 2012 to 2013. The point-of-sale malware analyzed maintained persistence in one of the following ways:

  • Run Registry Modification (53.2%)
  • Installed as a Service (30.9%)
  • AppInitDLLs Registry Modification (0.5%)
  • None (14.9%)

Pierluigi Paganini

(Security Affairs –  point-of-sale malware, cybercrime)