“After dedicating their efforts to swelling the number of computers roped into their malicious net, the masters of the Andromeda botnet are putting it to use by delivering a new family of PoS malware to as many PoS systems as they can.
The systems get infected with the Andromeda backdoor after users either open a malicious attachment or visit a site hosting an exploit kit. In the former example, the attachments are often disguised as documents needed for PCI DSS compliance or updating the company’s Oracle MICROS platform.
“Once converted into Andromeda bots, the affected machines can now be manipulated via a control panel, letting cybercriminals perform different commands,” Trend Micro researchers explain.
“Attackers use copies of the tools Mimikatz and PsExec to gain control. PsExec has been used in the Target breach to kill processes and move files. It is a legitimate whitelisted tool that attackers can use to remotely control and perform diagnostics on systems. On the other hand, Mimikatz is a publicly known tool, inserted in other tools, which attackers typically modify. It can be considered one of the best tools to gather credentials from a Windows system.”
Not all of the targeted computers get GamaPoS – the new scraper malware – installed on them. The researchers estimate that it may have only hit 3.8% of those affected by Andromeda.
At the moment, some 85 percent of those are used by organizations located in 13 states of the US (Arizona, California, Colorado, Florida, Georgia, Illinois, Kansas, Minnesota, Nevada, New York, South Carolina, Texas, and Wisconsin) and operating in a wide variety of industries (financial, IT, supply, hospitality, retail, and so on).
“GamaPoS holds the distinction of being a .NET scrapersomething unseen in prior PoS threats. We can attribute this development to the fact that it is easier to create malware in the .NET platform and, now that Microsoft made it available as an open-source platform, more developers are expected to use it for their applications. This makes .NET a viable platform to use for attacks”, the researchers point out.
Nevertheless, it does what PoS malware usually does: scrapes and sends Track 2 data to the C&C server.
“Note that this threat combines a classic botnet with a PoS RAM scraper, thus requiring more sophisticated methods of protection. To deal with exploit kits and botnets like Andromeda, IT managers need to stay updated on patches for vulnerabilities exploited by these kits,” they advise.
More information about Andromeda and GamaPoS, as well as indicators of compromise, can be found in this paper.”