Point-of-Sale Malware is defined as malicious software that is used by cyber criminals to target point of sale and payment terminals with the end goal of obtaining credit and debit card information, or other valuable data. These POS families usually include memory scraping/dumping and keystroke-logging functionality to capture as much card data as possible. Here are the top 4 point-of-sale malware families encountered by cybersecurity professionals:
This point-of-sale family uses PowerShell scripts to inject itself into the memory without storing the malicious binaries on a disk, which makes it harder to detect when attack occurs. This family of malware is primarily used to capture credit card information, which are then encoded and dumped into a log file for later use. Some of the samples encountered included no functionality for the attacker to exfiltrate the data they uncovered, allowing the attackers the opportunity to avoid leaving a trail that could help investigators identify the malware source.
PoSeidon is a multicomponent attacker that has been around in the industry for several years. This family serves primarily as a memory scraper that searches the computers for patterns indicating credit card numbers and additional information. The memory scraping component also includes a key logger that can collect operator credentials on the infected system. It automatically transmits potentially valuable data to a server controlled by the attacker via HTTP POST. There is also a new version (15.0), that uses anti-analysis techniques that obfuscate the imported DLL and APIs to hinder static analysis of the malware.
This attack family first surfaced in 2015 in a series of point-of-sale attacks in South America, and the family resurfaced in 2018 with a string of incident response engagements in Brazil. Its functionalities include file download and execution, memory scraping of credit card holder data, key-logging, and data exfiltration. It can also act as a worm by infecting removable drives like USBs.
Cabanak, the notorious cybercrime group, was as active as ever in 2018. The malware samples pulled were mainly memory scrapers that include features like remote-desktop functionality and the ability to steal passwords from victims. Another noteworthy technique the malware uses for persistence involves leveraging the application shim database that comes from the Windows Application Compatibility Toolkit (ACT).
A shim can be defined as a small piece of code than enables an application to simulate the behavior of older version of the software for better compatibility with newer versions of Windows. Attackers use this tool to register a shim-database file containing a malicious patch for the legitimate Windows executable services.exe. When run, the patch executes a shellcode that launches a Cabanak DLL stored in a registry key.