POS Malware Nitlove Seen Spreading Through Spam Campaign

Nitlove and several new versions of PoSeidon can be added to the growing heap of point-of-sale (POS) malware discovered this year.

Toss another strain of point-of-sale (POS) malware onto the growing heap discovered this year.

The latest variant, a variant dubbed NitlovePOS, was spotted being dropped on victims who were compromised by a spam operation. Researchers with the firm FireEye were in the middle of tracking a campaign in which spam email emanate from bogus Yahoo! accounts whose subject lines purport to come from individuals interested in internships, job openings and the like.

Once deployed the malware can capture and exfiltrate Track 1 one and Track 2 data as it scans the processes of a compromised machine, according to a blog entry that discussed the malware in depth over the weekend.

Nart Villeneuve and Daniel Regalado, a Principal Threat Intelligence Analyst and a Senior Staff Malware Researcher, respectively, spotted the malware while looking at Word documents they found embedded with a malicious macro.

Once users open documents that masquerade as resumes they’re instructed to enable Editing and Content in Word to view it. In doing so the user enables the macro and triggers it to download a corresponding executable.

While the server can download and execute a variety of different payloads, the one Villeneuve and Regalado focused on was Nitlove, or “pos.exe.”

Once opened, the malware can bypass some methods of detection. If Nitlove finds Track 1 or 2 data, it goes ahead and stores the data in a mailslot and sends it to a command and control server via POST using SSL, something that helps it thwart network-level detection.

Once set up, the malware communicates with one of three servers located in St. Petersburg, Russia, via SSL.

While technically a new strain of malware, it doesn’t sound like Nitlove is too widespread yet. FireEye claims it has monitored plenty of .EXE downloads from the server it’s been watching but only three of the downloads have been of “pos.exe.”

The researchers claim the low detection numbers could ultimately give its creator some time to work out any kinks with the malware though.

“Despite the similarity, the detection levels for new variants are initially quite low. This gives the cybercriminals a window of opportunity to exploit the use of a new variant,” Villeneuve and Regalado wrote.

Unlike Nitlove, which is just beginning to develop, PoSeidon – another POS malware variant dug up this year – appears to be diversifying.

Much like other strains of POS malware, PoSeidon, first dug up by researchers at Cisco, infects POS machines and scrapes memory for credit card information. PoSeidon then sends that information off to .ru domains for harvest.

Researchers at Damballa, a security firm that specializes in APT research, claimed last week that they’ve discovered three new and different versions of PoSeidon: 2.2, 7.5 and 7.92, in addition to a new version of its Loader, 11.90.

The new samples, like other builds of PoSeidon also link back to Russian IP addresses, don’t differ too much from the original versions, but as Loucif Kharouni, a Senior Threat Researcher with the firm points out, they do help solidify the fact that the malware is continuing to evolve.

In a technical writeup of the new versions last Thursday, Kharouni claims that some of the domains he spotted communicating with PoSeidon had previously been spotted dealing with infrastructure relating to the malware BackOff.

Perhaps best known as the culprit behind last year’s Dairy Queen breach, the soft serve and fast food chain called Backoff out by name when it confirmed the breach of nearly 400 stores last October.

US-CERT first sounded the alarm over the malware last July and it’s widely assumed that it was also in some way connected to the large-scale hack at Home Depot last summer.

PoSeidon uses some elements of Backoff, so its connection to the malware was always loosely assumed by many researchers. But Damballa’s research, which pinpoints specific domains to both families, seems to be the most definitive connection between the two so far.

Nitlove and PoSeidon are two of several new POS malware families to surface this year. LogPOS, which like Nitlove uses mailslots to store stolen credit card numbers, was found in March, while a new version of Alina was found in January. Trustwave’s SpiderLabs discovered Punkey last month.

Suggested articles