Researchers Discover Two New Strains of POS Malware

Two new and different strains of point of sale malware have come to light, including one that’s gone largely undetected for the past five years.

Point of sale malware has gotten more sophisticated as we inch closer to the two-year anniversary of the Target data breach. Now, two weeks from the biggest shopping day of the year, two new and different strains of point of sale malware have come to light, including one that’s gone largely undetected for the past five years.

Researchers with Trustwave described Cherry Picker, a set of PoS malware that in one form or another has been targeting businesses that sell food and beverage since 2011. The malware has managed to stay covert all these years by using a special mix of configuration files, encryption, obfuscation, and command line arguments.

Researchers with the firm noticed some basic elements of the malware back in 2011 but the malware has gone through three iterations in the years since, adding new configuration files, ways to scrape memory, and remain persistent.

According to Eric Merritt, the primary researcher who observed the malware, Cherry Picker knows what it wants – and if it can’t find it on the system, it simply exits. The malware has certain configuration files that target processes it expects to be loaded in. Similar to a cherry picking play in basketball, where a player’s main objective is staying close to the hoop and getting buckets, Cherry Picking malware has one objective – targeting that data.

“This implies that the malware author already has scouted the system and knows exactly what process they are targeting,” Merritt wrote of the technique in a blog entry Friday.

During his research Merritt found a file on a system infected by Cherry Picker that probably helped cover the malware’s tracks all these years, too. The file, a “cleaner” executable, contains hardcoded paths to the malware, exfiltration files, and legitimate files on the system. A special “custom shredder function” in the code goes ahead and overwrites the file multiple times with 00’s, FF’s, and “cryptographic junk” as Trustwave puts it, before going on to shred a hardcoded list of malware and exfiltration file locations, and the executable itself. From there, the code removes any remaining traces of the PoS malware.

“The PoS software that was being targeted is terminated and then re-launched to remove the malware from memory,” Merritt writes.

“The malware’s unique ability to clean up after itself and create a clean slate within the system is a major contributor to why it’s gone undetected for so long. In addition to cleaning up after itself, the malware draws less attention to itself by focusing on one process that is known to contain card data as opposed to targeting all processes,” Merritt told Threatpost Thursday.

Unlike Cherry Picker, Abaddon — another type of POS malware that was also disclosed this week, is relatively new.

Researchers with Proofpoint claim they discovered the malware in early October after noticing it download during a Vawtrak infection.

In this incident, Vawtrak, a banking Trojan, downloaded TinyLoader, a downloader – which in turn, downloaded another downloader, which downloaded shellcode that turned into Abaddon.

Kevin Epstein, VP of Threat Operations at the firm, told Threatpost Thursday that the malware is the latest in a long line of sophisticated POS malware samples that have popped up.

“AbbadonPOS appears to have features for anti-analysis, code obfuscation, persistence, location of credit card data, and a custom protocol for exfiltrating data. Much like malware as a general category, the sophistication of this new malware over prior malware continues to increase,” Epstein said.

Vawtrak is only one method researchers noticed AbaddonPOS propagating. Epstein claims researchers with the firm also noticed two other mediums for the malware. In one, a user winds up getting hit by the Angler Exploit Kit, which uses a browser exploit to download Bedep, which then downloads Abaddon. In the second, a rigged Microsoft Word document downloads the Pony Loader, which then downloads Vawtrak, which then downloads TinyLoader, like the first exploit mechanism.

Like other types of POS malware, AbaddonPOS looks for credit card information by reading memory processes, but ships it off via a custom binary protocol.

“A single hardcoded IP address is used as the C2 address, as well as the encoding routine that is used to obfuscate exfiltrated data,” reads a description of the malware’s exfiltration routine, published by Proofpoint on Thursday.

While researchers admit the Vawtrak connection is interesting, it may be coincidental. The malware’s code actually has more in common with TinyLoader, which dates back to January of this year, than the banking malware.

“TinyDownloader and AbbadonPOS both exhibit very similar coding in two features — anti-analysis (CALL to push strings onto stack) and obfuscation (encoding shellcode using exact same encoding routine) — it seems quite possible, or even likely, that there is some connection between TinyDownloader and AbbadonPOS’s development,” Epstein told Threatpost.

Regardless, attackers are going to have several options when it comes to POS malware this upcoming holiday shopping season, Epstein warns.

“Cybercrime is a sophisticated business ecosystem; it would be rare to have significant investments made by attackers in new malware development and – not – see it deployed for their gain.”

Suggested articles

plugX malware loader TA416

TA416 APT Rebounds With New PlugX Malware Variant

The TA416 APT has returned in spear phishing attacks against a range of victims – from the Vatican to diplomats in Africa – with a new Golang version of its PlugX malware loader.