Attacks/Breaches
11/11/2014
05:02 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

POS Malware Continues To Evolve

New report out today details three prevalent families.

With a little over two weeks until the holiday shopping season kicks off in earnest, a picture of the evolution of point of sale (POS) malware has come into focus with a number of recent pieces of research of late. A common theme recurring throughout is that POS malware is increasingly maturing with different packages and families refined for specific attack scenarios.

Just today, researchers with Cyphort Labs released a report that dissected three families of POS malware associated with three distinct breach incidents at Target, Home Depot, and UPS over the past year--BlackPOS, FrameworkPOS, and Backoff respectively.

"Looking at the modes of operation of the three families one can clearly identify two directions: one from the targeted attacks on Target and Home Depot, and the other from the more generalized approach of Backoff," they wrote. "Targeted attacks are identified by the fact that the attacker chooses the target and specifically designs the attack, while in a general approach, the nature and identity of the victim are unknown to the attacker."

Tailored for attacks against dedicated targets, both FrameworkPOS and BlackPOS have got multi-functional components for persistence, memory scraping, process enumeration, and data exfiltration.

"They are most likely not from the same authors but FrameworkPOS leave the strong impression of a copycat attack after former POS malware incidents," the report says. "Basic principles and ideas are identical, as of creating a service, scanning chunks of memory, pushing data to a local SMB server and hiding the data in a fake binary file in system root."

The establishment of the multi-step approach all-in-one package comes from years of refinement of these malware packages in the underground. As Josh Grunzweig of Nuix explained in a recent talk at SecTor on POS malware, malicious software targeting payment systems is hardly a new thing.

"This past year alone you can't go more than a week without hearing some story in the news of some company with tens of millions of cards stolen. And it's this chaotic vibe," Grunzweig says. "In truth this stuff has been around for a long time."

For example, first found in the wild last year, BlackPOS is "actually not that sophisticated" and depends on code from mmon, a memory scraping piece of malware first discovered in 2010, he says. In truth, he'd say the first real advancement in POS malware came with the introduction of the Dexter family of malware in late 2012.

"Dexter was kind of a game changer," he said. "All of a sudden its pulling in a lot of interesting stuff, its memory scraping, its key logging, it's doing this cool thing where it injects into Internet Explorer so you can't kill it. Its exfiltrating data and one of the real stand outs was the fact that it had a command-and-control server."

This approach paved the way for something like a Backoff, first found and named by Grunzweig himself last year. According to an advisory from the Department of Homeland Security, Backoff had already infected more than 1,000 U.S. business at that point.

"Maybe the biggest takeaway from Backoff is that it is super, super prevalent," Grunzweig says.

And, according to new research from Fortinet, it's still evolving. Last week, Fortinet's researchers showed that several new versions of Backoff have surfaced that include new tweaks, notably around obfuscation. Now instead of disguising itself as a Java component, it is appearing as a media player and it uses hash functions for APIs and the names of blacklist processes. Modifications have been made to its C&C communication component to evade detection. Additionally, the latest version of the malware is now packed with a custom packer.  

"Like the API hashing function and the blacklist process name hashing function, using a custom packer is yet another attempt to hinder the analysis process," explains Hong Kei Chan. 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
11/17/2014 | 11:36:50 AM
Re: Alarming
The two processes critical to the POS operation are: card data capture and communications with the transaction processor, and communications with internal back office applications.  So really, the best way to go is to ensure the security of the local machines and infrastructures. Encryption helps, no doubt, but at some point in time, the data needs to be decrypted so that processing can continue with the actual data, and this takes place within memory, the RAM scraper playground. So really, strict controls on the card transaction computing machine, stripping down services and applications to the bare minimum, file integrity protection, and anti-malware software serve to provide much needed protection to help prevent data leakage. Isolation and continuous monitoring of the card processing network help at the transaction perimeter, and strict controls on the back end internal server and external perimeter infrastructure help to prevent data exfiltration. None of these techniques are new; in fact, they are well established practices that have been preached for a very long time. It all boils down to strict controls and proper enforcement; breaches occur when those controls are violated. Upper management should make sure that there are sufficient resources to properly address and enforce those controls, and that appropriate separation of duties exist to address conflicts of interest.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/17/2014 | 10:08:36 AM
Retail hacking Radio Show THIS Wednesday @ Noon ET
@Dr.T -- and others. Just a reminder about our DR Radio show this week, which is totally focused on retail industry breaches:  Retail Hacking: What To Expect This Holiday Season (Wednesday at 1:00 p.m. ET (10:00 a.m. PT).  It promises to be a great show, with Kelly Jackson-Higgins interviewing  Nick Pelletier, senior consultant with Mandiant and Arthur Tisi, co-founder and CEO at The Praescripto Group LLC, and former CIO for Natural Markets Food Group. To register and save the date, click here.

 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/17/2014 | 9:39:45 AM
Re: Alarming
There can always be end to end encryption to reduce the risk of data being compromised. There is no real need to keep data on the POS unencrypted, easy to solve but it will cost more of course.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/17/2014 | 9:37:03 AM
Re: Cyber Security World Conference 2014
I will most likely miss this but hope be able to follow it online. We now know bad guys are winning based on the recent trends, good guys need to come together and address the issues for sure.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/17/2014 | 9:34:17 AM
POS terminals
It looks like we need to increase intelligence and security on POS terminals, they seem to be proven the weakest link on Target and Home Depot attacks. Maybe in the light of Internet of Things we will have better controlled and managed POS devices.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
11/12/2014 | 7:43:13 AM
Alarming
What a scary notion to ponder before the holiday season where credit cards will be swiped an incredible amount of times. It seems that with the evolution of malware in regards to POS that encryption of the POS points is no longer a strong means of securing customer data since much of the malware is sitting on the boxes themselves according to this article. This means that to perform their job, the machines will eventually have to decrypt the data from the cards and I would believe this would be done on the same system. With this being the case, what are some means of ensuring customer data security, other than persistent scans to detect malware on  daily basis?
KennethW444
50%
50%
KennethW444,
User Rank: Apprentice
11/12/2014 | 1:57:47 AM
Cyber Security World Conference 2014

Along these lines, cyber security experts will be in attendance at Golden Networking's Cyber Security World Conference 2014, November 21, where renowned information security authorities will bring their latest thinking to hundreds of senior executives focused on protecting today's enterprises and government data assets. This conference is organized by Golden Networking.

Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Jamie, the darn Unicorn is back."
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.