A new piece of Point-of-Sale RAM scraping malware has been submitted to VirusTotal and analyzed by researchers, who found that it’s a cross between two older and different POS malware families and is offered for sale on underground markets for $2,000.
Called LusyPOS, the RAM scraper is currently detected by 23 of the 55 AV engines used by VirusTotal. When the executable was initially submitted to the service – on November 30 – it was detected by only 7 of them, and two of these detections were triggered by the tor.exe component in the bundle.
LusyPOS is larger in size that most previously detected POS malware samples – almost 4.0 MB. According to Nick Hoffman and Jeremy Humble, reverse engineers at Ohio-based security company CBTS, it features a “strange mix of Dexter-like behavior mixed with Chewbacca-like techniques.”
The way LusyPOS incorporates information about the C&C servers and the list of processes the malware is set to check for financial information, and the way it uses registry keys to attain persistence on the machine is similar to that used by Dexter. Its RAM scraping code is also similar to that employed in previous malware of this kind, as is the method used (Luhn algorithm) to verify that the scraped info is valid credit card track information.
The way it uses the Tor anonymity network for C&C communication makes it similar to Chewbacca.
Technically, POS machines should not be allowed to “talk” to Tor. “When it comes to PCI compliance, this type of network communication should never be allowed. Organizations should be on the lookout for attempts to contact suspicious domain names with a .onion TLD and block them immediately,” Jeremy Scott, Senior Research Analyst with Solutionary, pointed out.
“Most PCI audits will attempt to lock this sort of activity down,” Hoffman confirms. “But there seems to be devils in the implementation that allow malware like this to be successful.”