Threat Intelligence has observed the significant growth of point-of-sale (POS) malware families in underground cyber crime forums. POS malware refers to malicious software that extracts payment card information from memory and usually uploads that data to a command and control (CnC) server.
Although the PCI DSS rules changed in October 2015, leaving retailers who have not transitioned from existing “swipe” cards to EMV or “chip” enabled cards liable for card present fraud in more ways than before, many retailers are still in the process of transitioning to chip-enabled card technology. Criminals appear to be racing to infect POS systems in the United States before US retailers complete this transition. In 2015, more than a dozen new POS malware families were discovered. POS malware may be freely available, available for purchase, or custom-built for specific cyber criminals. Free tools are often a result of malware source code being leaked, and tend to be older and more easily detected by security software. POS malware available for purchase may be newly developed tools or modified versions of older tools. Then there is another class of POS malware that is developed for use exclusively by a particular threat group.
TREASUREHUNT, POS malware that appears to have been custom-built for the operations of a particular “dump shop,” which sells stolen credit card data. TREASUREHUNT enumerates running processes, extracts payment card information from memory, and then transmits this information to a command and control server. TREASUREHUNT would be implanted on a POS system through the use of previously stolen credentials or through brute forcing common passwords that allow access to poorly secured POS systems. When executed, TREASUREHUNT installs itself to the %APPDATA% directory and sets up a registry ‘run’ key for persistence.The malware will then initiate a beacon to a CnC server. The connection to the CnC server is via HTTP POST. The malware scans all running processes and ignores processes that contain System33, SysWOW64, or \Windows\explorer.exe in their module names. It searches for payment card data and, if found, sends the data encoded back to the CnC server.When payment card data is found, it is sent back to the CnC server. The operators control the compromised systems and harvest stolen payment card information through a web interface located on the CnC server.
All of the TREASUREHUNT samples identified so far contain the same compilation timestamp of 2014-10-19 07:14:39. This is likely an artifact of the builder rather than the time the samples were actually compiled.Using this data, TREASUREHUNT appears to have been first deployed in late 2014 and was seen throughout 2015 and into 2016.
The relatively sparse sample set may indicate that TREASUREHUNT is being deployed in a targeted manner rather than being propagated indiscriminately.
In the world of POS threats, there has been a rise in both underground offerings as well as new malware found in active use. The demand is likely due to the ongoing transition to EMV chip and PIN technology in the United States, which will eventually render these techniques largely useless. While some cybercriminals are looking ahead in an effort to develop ways to exploit chip and PIN (as well as near-field communication technologies), many cyber criminals are looking take advantage of memory scraping POS malware while it still works.
With an increasing number of major firms transitioning to the more secure chip-enabled cards, we expect to see cyber criminals increasingly turn their attention to smaller retailers and banks that may not be as prepared for the transition.
No comments:
Post a Comment