Researchers have now discovered two new and different
strains of point of sale (POS) malware including one that has gone largely
undetected for the past five years.
Researchers have described Cherry Picker, a set of PoS
malware which in one form or another has been targeting businesses that sell food
and beverage since 2011.
The malware is reportedly said to be used in a recent breach
at an unidentified U.S. restaurant chain.
The new form of memory-scraping POS malware has become a
threat for retailers.
The Federal Bureau of Investigation (FBI) has released a
warning to keep guards against the malware as it can infect any Windows-based
POS network and can encrypt the data stolen, making detection difficult.
Researchers with Trustwave have noticed some basic elements
of the malware back in 2011 but the malware has gone through three iterations
in the years since, adding new configuration files, ways to scrape memory, and
remain persistent.
The malware has managed to stay covert since many years by
using a combination of configuration files, encryption, obfuscation, and
command line arguments.
During his research Eric Merritt, the primary researcher who
observed the malware found a file on a system infected by Cherry Picker that helped
cover the malware’s tracks all these years, too. The file contains hardcoded
paths to the malware, exfiltration files, and legitimate files on the system. A
special “custom shredder function” in the code goes ahead and overwrites the
file multiple times with 00’s, FF’s, and “cryptographic junk” before going on
to shred a list of malware and exfiltration file locations, and the executable
itself. From there, the code removes any remaining traces of the PoS malware.
With this reaserchers have also discovered the existence of
another type of POS malware known as Abaddon. This is relatively newer to
Cherry Picker.
Vawtrak, a banking Trojan, downloaded TinyLoader, a
downloader which in turn, downloaded another downloader which downloaded
shellcode that turned into Abaddon.
“AbbadonPOS appears to have features for anti-analysis, code
obfuscation, persistence, location of credit card data, and a custom protocol
for exfiltrating data. Much like malware as a general category, the
sophistication of this new malware over prior malware continues to increase,”
said Kevin Epstein, Vice President of Threat Operations at the firm.
In addition, security firm Trend Micro is warning of a new
malware called Malum POS which targets the Oracle Micros POS system.
Attackers are going to have several choices when it comes to
POS malware this season.