New POS Malware Uses Mailslots to Avoid Detection

A new type of POS malware, LogPOS, is using technology that evades detection by letting the malware inject code while it shuttles stolen credit card numbers to its C+C server.

New point-of-sale malware, LogPOS, has been using technology that evades detection by allowing the malware to inject code and act like a client while it shuttles stolen credit card numbers off to its command and control server.

The technology, Microsoft Windows’ mailslots, isn’t new by any means but it is the first time a POS malware variant has been spotted using it. Mailslots is an inter-process communications mechanism that allows multiple clients to send messages.

“Applications can store messages in a mailslot. The owner of the mailslot can retrieve messages that are stored there,” writes Microsoft’s Dev Center about the mechanism.

According to Jeremy Humble and Nick Hoffman, two researchers at Morphick, the Ohio-based security firm that found the malware, LogPOS’s executable creates a mailslot, which acts like a server. The code that it injects into various processes acts as a client and subsequently transfers credit card information to the mailslot, which then whisks it away to the C+C.

The way the multitasking malware created the mailslot and injected code jumped out to the researchers “almost immediately,” according to Hoffman, who described LogPOS in a technical write-up on Monday.

Unlike other types of POS malware such as Backoff, LogPOS can’t write the data it discovers in processes to a log. That’s because the malware already has its hands full injecting code into processes, each of which search their own memory. Each one is unable to open the same file with write access simultaneously — so it writes the information to a mailslot.

Assuming the malware can create a mailslot, the malware compares processes against a whitelist, injects code to disrupt processes, scans for credit card information, validates it, sends it to the mailslot and then onward to a remote site.

According to Hoffman the form he and Humble discovered the malware is sending data to isn’t even password protected, something that suggests the author may still be testing their code.

This time last year, consumers were already deep in the throes of numerous large data breaches; the dust around 2013’s massive Target breach was still settling and fresh hacks of stores like Michaels and Neiman Marcus made headlines.

Since then popular malware variants like Backoff, which has extensive data stealing and exfiltration capabilities, have become a go-to for attackers eyeing point of sale systems. By comparison, 2015 could be considered relatively quiet on the retail breach disclosure front to this point but that hasn’t stopped POS malware creators from quietly refining their product.

“Despite the ongoing efforts to curb POS malware from being successful, this seems to be an area where there is no slowing down,” Hoffman wrote, acknowledging some newer POS malware variants that have been uncovered over the past several months like Alina and Spark.

Suggested articles