- authors Pierluigi Paganini
Experts at Cisco have discovered a new Point-of-Sale (PoS) malware dubbed PoSeidon. The Cisco experts have discovered many similarities with the popular Zeus Trojan and use sophisticated methods to find card data respect other POS malware like BlackPoS, which was used to steal data from US giant retailers Target and Home Depot.
“PoSeidon was professionally written to be quick and evasive with new capabilities not seen in other PoS malware,” states the blog post from Cisco’s Security Solutions team“PoSeidon can communicate directly with C&C servers, self-update to execute new code and has self-protection mechanisms guarding against reverse engineering.”
The malware belongs to the scrapers family, malicious code that “scrape” POS memory searching for card numbers of principal card issuers (i.g. Visa, MasterCard, AMEX and Discover), but is a very effective improvement in its capability to verify if the numbers are valid by using the Luhn formula.
Once in execution Poseidon starts with a Loader binary that operates to maintain persistence on the victim’s machine, then it receive other components from the C&C servers. Among the binaries downloaded by the loader there is also a Keylogger component used to steal passwords and could have been the initial infection vector, Cisco said.
“The Loader then contacts a command and control server, retrieving a URL which contains another binary to download and execute. The downloaded binary, FindStr, installs a keylogger and scans the memory of the PoS device for number sequences that could be credit card numbers. Upon verifying that the numbers are in fact credit card numbers, keystrokes and credit card numbers are encoded and sent to an exfiltration server.” continues Cisco.
Loader contacts one of the hardcoded servers in the following list provided by CISCO experts, the majority of them belongs to Russian domains :
PoSeidon sends back to the C&C served stolen card data and keylogger in encrypted format, it used XOR and base64 encoding. Most of the command and control servers are currently hosted on .ru domains, Cisco said.
“Attackers will continue to target PoS systems and employ various obfuscation techniques in an attempt to avoid detection. As long as PoS attacks continue to provide returns, attackers will continue to invest in innovation and development of new malware families. Network administrators will need to remain vigilant and adhere to industry best practices to ensure coverage and protection against advancing malware threats.” explained Cisco’s Security Solutions team.
The report published by Cisco also includes further interesting information on PoSeidon malware, including IOCs and Snort Rules for its detection.
Pierluigi Paganini is Chief Information Security Officer at Bit4Id, firm leader in identity management, member of the ENISA (European Union Agency for Network and Information Security)Treat Landscape Stakeholder Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at “Cyber Defense Magazine”, Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog “Security Affairs” recently named a Top National Security Resource for US. Pierluigi is a member of the “The Hacker News” team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books “The Deep Dark Web” and “Digital Virtual Currency and Bitcoin”.