New PoS malware family comes with keylogger component

A new piece of PoS scraper malware has been found and analyzed by researchers from Cisco’s Talos Security Intelligence and Research Group.

Dubbed “PoSeidon,” the malware comes with a keylogger component, and sends the collected data to a series of servers hosted mostly on Russian (.ru) domains.

It is installed on the target system in multiple stages.

“At a high level, it starts with a Loader binary that upon being executed will first try to maintain persistence on the target machine in order to survive a possible system reboot,” the researchers explained the compromise sequence.

“The Loader then contacts a command and control server, retrieving a URL which contains another binary to download and execute. The downloaded binary, FindStr, installs a keylogger and scans the memory of the PoS device for number sequences that could be credit card numbers. Upon verifying that the numbers are in fact credit card numbers, keystrokes and credit card numbers are encoded and sent to an exfiltration server.”


The malware uses the Luhn algorithm to verify that the numbers it scrapes are actually payment card numbers.

“As long as PoS attacks continue to provide returns, attackers will continue to invest in innovation and development of new malware families,” the researchers commented. “Network administrators will need to remain vigilant and adhere to industry best practices to ensure coverage and protection against advancing malware threats.”

For indicators of compromise and additional technical details about the components, check out the original Cisco post.