Security researchers are warning of new macro-based POS malware designed to steal card data from Windows Point of Sale systems.
FireEye threat researchers Nart Villeneuve and Daniel Regalado explained in a blog post that the Nitlove POS malware is unusually disseminated via an indiscriminate spam campaign.
The unsolicited emails from spoofed Yahoo Mail accounts reference job opportunities and contain a ‘CV’ as an attachment.
That attachment actually contains an embedded malicious macro, which the attackers try to trick recipients into enabling by claiming it’s a protected document.
If enabled, the macro will download and execute a malicious executable from a server containing a wide variety of malware.
“We focused on the ‘pos.exe’ malware and suspected that it maybe targeted Point of Sale machines,” the blog noted. “We speculate that once the attackers have identified a potentially interesting host form among their victims, they can then instruct the victim to download the POS malware.”
The malware apparently copies itself to disk using NTFS Alternate Data Streams (ADS) – which means the files won’t be immediately visible. It will also monitor and “respawn” if there are any attempts to delete it.
Nitlove POS is designed to scrape track one and track two card data, save it and send it out to a hard-coded C&C server located in the Russian city of St Petersburg. It’s sent via SSL, which makes it harder to track, according to FireEye.
The firm said this latest discovery is yet another example of the ever evolving nature of POS malware:
“Even cybercriminals engaged in indiscriminate spam operations have POS malware available and can deploy it to a subset of their victims. Due to the widespread use of POS malware, they are eventually discovered and detection increases. However, this is followed by the development of new POS with very similar functionality. Despite the similarity, the detection levels for new variants are initially quite low. This gives the cybercriminals a window of opportunity to exploit the use of a new variant.”
Attacks involving POS malware have exploded over the past year as cybercriminals look to take advantage of security weaknesses in mainly US-based retail and hospitality environments.
It is hoped that with the coming chip and PIN implementations, this avenue for data theft will largely be shut down for attackers.