LockPoS, a point-of-sale (PoS) malware that steals credit card data, has a new trick for stealthy malware injection that appears to be a variant of that used by Flokibot.
According to Cyberbit, LockPoS reads the memory of currently running processes on computer systems attached to PoS terminals, searching for data that looks like credit-card information. When it finds it, it sends it on to command and control (C&C). The malware is distributed from the same botnet used to distribute the Flokibot PoS, and now seems to have picked up additional characteristics from its sister code. To wit: A malware injection technique that is silent and avoids antivirus hooks.
Most next-gen antivirus products already monitor the Windows functions in user mode. But in Windows 10, the kernel space is still guarded, so kernel functions can’t be monitored. LockPoS, like Flokibot, has been updated to skim under malware detection engines.
According to Cyberbit, the approach involves creating a section object in the kernel using NtCreateSection, calling NtMapViewOfSection to map a view of that section into another process, copying code into that section, and finally creating a remote thread using NtCreateThreadEx or CreateRemoteThread to execute the mapped code.
“This new malware injection technique suggests a new trend could be developing [consisting of] using old sequences in a new way that makes detection difficult,” explained Hod Gavriel, malware analyst at Cyberbit, in a technical analysis. “For now, the best detection approach is to focus on improving memory analysis, which can be tricky, but these are the best traces currently accessible to security solutions.”