Experts at Cisco have discovered a new Point-of-Sale (PoS) malware dubbed PoSeidon. The Cisco experts have discovered many similarities with the popular Zeus Trojan and use sophisticated methods to find card data respect other POS malware like BlackPoS, which was used to steal data from US giant retailers Target and Home Depot.
“PoSeidon was professionally written to be quick and evasive with new capabilities not seen in other PoS malware,” states the blog post from Cisco’s Security Solutions team“PoSeidon can communicate directly with C&C servers, self-update to execute new code and has self-protection mechanisms guarding against reverse engineering.”
The malware belongs to the scrapers family, malicious code that “scrape” POS memory searching for card numbers of principal card issuers (i.g. Visa, MasterCard, AMEX and Discover), but is a very effective improvement in its capability to verify if the numbers are valid by using the Luhn formula.
Once in execution Poseidon starts with a Loader binary that operates to maintain persistence on the victim’s machine, then it receive other components from the C&C servers. Among the binaries downloaded by the loader there is also a Keylogger component used to steal passwords and could have been the initial infection vector, Cisco said.
“The Loader then contacts a command and control server, retrieving a URL which contains another binary to download and execute. The downloaded binary, FindStr, installs a keylogger and scans the memory of the PoS device for number sequences that could be credit card numbers. Upon verifying that the numbers are in fact credit card numbers, keystrokes and credit card numbers are encoded and sent to an exfiltration server.” continues Cisco.
Loader contacts one of the hardcoded servers in the following list provided by CISCO experts, the majority of them belongs to Russian domains :
- linturefa.com
- xablopefgr.com
- tabidzuwek.com
- lacdileftre.ru
- tabidzuwek.com
- xablopefgr.com
- lacdileftre.ru
- weksrubaz.ru
- linturefa.ru
- mifastubiv.ru
- xablopefgr.ru
- tabidzuwek.ru
PoSeidon sends back to the C&C served stolen card data and keylogger in encrypted format, it used XOR and base64 encoding. Most of the command and control servers are currently hosted on .ru domains, Cisco said.
PoSeidon demonstrates the great interest of the criminal underground in PoS systems, criminal crews are developing sophisticated techniques to compromise these systems.
“Attackers will continue to target PoS systems and employ various obfuscation techniques in an attempt to avoid detection. As long as PoS attacks continue to provide returns, attackers will continue to invest in innovation and development of new malware families. Network administrators will need to remain vigilant and adhere to industry best practices to ensure coverage and protection against advancing malware threats.” explained Cisco’s Security Solutions team.
The report published by Cisco also includes further interesting information on PoSeidon malware, including IOCs and Snort Rules for its detection.
###
