Carders use custom built POS malware to hit US retailers

Crypto-ransomware might be the most prominent type of malware these days, but that doesn’t mean that criminals have stopped using other kinds.

According to FireEye researchers, crooks are dead set on stealing as much payment card information as possible before US retailers switch to chip-enabled cards, meaning they are trying to leverage all available POS malware on the market.

Custom built POS malware

As the researcher Nart Villeneuve explained, there is free POS malware (usually easily detected by security solutions) and there are those that have to be bought from its creators. There is also a third category – custom built POS malware.

One example of this is TreasureHunt, POS malware they believe was custom built for a specific cybercrime operation called “BearsInc”.

“BearsInc is an actor on an underground cybercrime forum dedicated to credit card fraud,” Villeneuve explained. “BearsInc has advertised stolen payment card information for sale.”

TreasureHunt is not that different from other POS malware: it enumerates running processes, extracts payment card information from the compromised system’s memory, and sends the collected info to a command and control server controlled by the crooks.

According to FireEye, the first version of the malware was created back in December 2014, and the latest (v0.1.1) has been in use since late November 2015.

And given that samples of the malware haven’t been uploaded often to VirusTotal or detected by security systems, the researchers posit that the malware is being deployed in a targeted manner. TreasureHunt is usually implanted on a POS system through the use of previously stolen credentials or through brute forcing common passwords.

Jolly Roger

The malware code contains a string that points toward both the creator of the malware and the buyer. The above mentioned BearsInc seems to be the latter, while the developer is someone that goes by the online handle “Jolly Roger” and apparently loves to use a pirate theme for his creations.

Whether he is the same individual who created the Jolly Roger Stealer – a password-stealer that dates back to 2013 – is impossible to know for sure. And, whatever the case may be, it doesn’t mean much to the victims.

FireEye researchers believe that smaller retailers and banks should be extra careful these days, and that they should speed up their transition to EMV chip-and-PIN technology. An increasing number of major firms already has, they noted – the pool of potential victims is shrinking, and the likelihood of being hit increases as time passes.