POS Malware Continues To Evolve

With a little over two weeks until the holiday shopping season kicks off in earnest, a picture of the evolution of point of sale (POS) malware has come into focus with a number of recent pieces of research of late. A common theme recurring throughout is that POS malware is increasingly maturing with different packages and families refined for specific attack scenarios.

Just today, researchers with Cyphort Labs released a report that dissected three families of POS malware associated with three distinct breach incidents at Target, Home Depot, and UPS over the past year--BlackPOS, FrameworkPOS, and Backoff respectively.

"Looking at the modes of operation of the three families one can clearly identify two directions: one from the targeted attacks on Target and Home Depot, and the other from the more generalized approach of Backoff," they wrote. "Targeted attacks are identified by the fact that the attacker chooses the target and specifically designs the attack, while in a general approach, the nature and identity of the victim are unknown to the attacker."

Tailored for attacks against dedicated targets, both FrameworkPOS and BlackPOS have got multi-functional components for persistence, memory scraping, process enumeration, and data exfiltration.

"They are most likely not from the same authors but FrameworkPOS leave the strong impression of a copycat attack after former POS malware incidents," the report says. "Basic principles and ideas are identical, as of creating a service, scanning chunks of memory, pushing data to a local SMB server and hiding the data in a fake binary file in system root."

The establishment of the multi-step approach all-in-one package comes from years of refinement of these malware packages in the underground. As Josh Grunzweig of Nuix explained in a recent talk at SecTor on POS malware, malicious software targeting payment systems is hardly a new thing.

"This past year alone you can't go more than a week without hearing some story in the news of some company with tens of millions of cards stolen. And it's this chaotic vibe," Grunzweig says. "In truth this stuff has been around for a long time."

For example, first found in the wild last year, BlackPOS is "actually not that sophisticated" and depends on code from mmon, a memory scraping piece of malware first discovered in 2010, he says. In truth, he'd say the first real advancement in POS malware came with the introduction of the Dexter family of malware in late 2012.

"Dexter was kind of a game changer," he said. "All of a sudden its pulling in a lot of interesting stuff, its memory scraping, its key logging, it's doing this cool thing where it injects into Internet Explorer so you can't kill it. Its exfiltrating data and one of the real stand outs was the fact that it had a command-and-control server."

This approach paved the way for something like a Backoff, first found and named by Grunzweig himself last year. According to an advisory from the Department of Homeland Security, Backoff had already infected more than 1,000 U.S. business at that point.

"Maybe the biggest takeaway from Backoff is that it is super, super prevalent," Grunzweig says.

And, according to new research from Fortinet, it's still evolving. Last week, Fortinet's researchers showed that several new versions of Backoff have surfaced that include new tweaks, notably around obfuscation. Now instead of disguising itself as a Java component, it is appearing as a media player and it uses hash functions for APIs and the names of blacklist processes. Modifications have been made to its C&C communication component to evade detection. Additionally, the latest version of the malware is now packed with a custom packer.  

"Like the API hashing function and the blacklist process name hashing function, using a custom packer is yet another attempt to hinder the analysis process," explains Hong Kei Chan.