Security vendor Trend Micro has warned of a new strain of point-of-sale (PoS) malware designed to lift and exfiltrate customer card data, which has managed to stay undetected since 2013.
Dubbed PwnPOS to distinguish it from the numerous other families of PoS malware that have emerged in recent months, this strain has been able to fly under the radar of detection systems thus far “due to its simple but thoughtful construction,” according to Trend Micro threat analyst Jay Yaneza.
It’s comprised of two parts: a RAM scraper binary and a data exfiltration binary, he said in a blog post.
“While the RAM scraper component remains constant, the data exfiltration component has seen several changes – implying that there are two, and possibly distinct, authors,” Yaneza continued.
“The RAM scraper goes through a process’ memory and dumps the data to the file and the binary uses SMTP for data exfiltration.”
Part of the reason PwnPOS has stayed undetected this long is down to its ability to add or remove itself from the list of services on a targeted PoS machine without fully deleting.
This means it can maintain persistence on a victim machine – appearing benign “as it waits within the %SYSTEM$ directory for the next time it is invoked.”
However, it apparently doesn’t work on 64-bit Windows versions, or post-Vista versions of the operating system which have User Account Control enabled.
“The above-mentioned caveats may be a non-issue since a good majority of PoS terminals are still running on Windows XP and there is no pressing need for 64-bit operating system installations in these kinds of systems,” argued Yaneza.
PwnPOS has been spotted by Trend Micro operating alongside similar malware such as BlackPOS and Alina targeting SMBs in Japan, Australia, India, North America and Europe.
Sagie Dulce, security researcher at Imperva, claimed the discovery shows that a few scripts and an off-the-shelf scraper is all an attacker needs to breach an organization.
“As these types of attacks become more and more mainstream it is harder for security teams to catch the ‘real’ perpetrator. They are biased towards known threats, making new ones harder to detect,” Dulce added.
“Hackers may actually take advantage of this, and plant known malware as a method to cover their tracks. Once the forensic team finds BlackPOS, the case is closed and the hackers can move on to the next victim, knowing that their tool was not compromised.”