As if retailers don’t have enough woes because of persistent cyber attacks in the last 24 months, now comes word of a new threat.
Cisco Systems’ Talos Security group has warned there’s a new family of malware that attacks Windows-based point of sale (PoS) systems circulating  that can scrape memory for credit card information. Cisco dubs the new malware family PoSeidon.
The malware includes a keylogger component that could steal passwords and therefore be the initial point of compromise.
Cisco says the attack starts with a loader binary that will first try to maintain persistence on the target machine in order to survive a possible system reboot. Upon being run, loader checks to see if it’s being executed with one of these two file names:
- WinHost.exe
- WinHost32.exe
If it is not, it will make sure that no Windows service is running with the name WinHost. Loader will copy itself to %SystemRoot%\System32\WinHost.exe, overwriting any file in that location that would happen to have the same name. Next, it will start a service named WinHost so it remains running in memory even if the current user logs off.
The loader then contacts a command and control server, retrieving a URL which contains another binary to download and execute. The downloaded binary, a file called FindStr, installs the keylogger and scans the memory of the PoS device for number sequences that could be credit card numbers. Upon verifying that the numbers are in fact credit card numbers, keystrokes and credit card numbers are encoded and sent to an exfiltration server.
“Attackers will continue to target PoS systems and employ various obfuscation techniques in an attempt to avoid detection,” says the Cisco [Nasdaq: CSCO] alert. “As long as PoS attacks continue to provide returns, attackers will continue to invest in innovation and development of new malware families. Network administrators will need to remain vigilant and adhere to industry best practices to ensure coverage and protection against advancing malware threats.
Only two weeks ago Trend Micro announced it had found a new PoS malware family that used mailslots for communications.
“We encourage organizations to consider security best practices, starting with a threat-centric approach. Given the dynamic threat landscape, we advocate this threat-centric and operationalized approach that implements protections across the extended network – and across the full attack continuum – before, during, and after an attack. This approach is predicated upon superior visibility, continuous control, and advanced threat protection across the extended network and the entire attack continuum.”