New PoS malware family discovered

A new family of PoS malware has been discovered and analyzed by Trend Micro researchers.

They dubbed it PwnPOS, and believe that it has been in used since 2013, possibly even earlier. So how come it took so long for it to be spotted?

“PwnPOS is one of those perfect examples of malware that’s able to fly under the radar all these years due to its simple but thoughtful construction,” they explained.

Made of two components – a RAM scraper binary and a binary responsible for data exfiltration – PwnPOS works similarly to most other known POS smalware: it enumerates all running processes, it searches for payment card data and dumps it into a separate file, then compresses and encrypts it, and exfiltrates it via an email to a pre-defined mail account via SMTP with SSL and authentication.

“Rather than utilizing a third-party executable to send email, it utilizes a known AutoIt routine that makes use of the Collaboration Data Objects (CDO) API suite that is built-in with Microsoft Windows,” Threats Analyst Jay Yaneza shared.

The malware ensures its persistence and hides on the machine by being able to add and remove itself from the list of services, to download and delete files as needed, to masquerade malicious files as benign ones and hiding them within the %SYSTEM$ directory, and to store the stolen data in a .dat file that doesn’t look out of place in the %SystemRoot%\system32 directory.

“While the RAM scraper component remains constant, the data exfiltration component has seen several changes – implying that there are two, and possibly distinct, authors,” Yaneza noted.

“We have seen PwnPOS operating with other PoS malware like BlackPOS and Alina, among small-to-medium businesses (SMB) within Japan, APAC (Australia, India), NABU (United States and Canada) and EMEA (Germany, Romania) running 32-bit versions of either Windows XP or Windows 7.”

The company has provided threat indicators and a YARA rule to detect the RAM scraper component.