LusyPOS Malware Seen in Russian Underground Forums

Earlier this month, security researchers discovered a new PoS malware family, which they named “LusyPOS” after a reference in Russian underground forums. We detect this as TSPY_POSLUSY.A. In their analysis, they mentioned that while it had some characteristics linked to the Dexter family of PoS malware, due to its behavior they also linked it to the Chewbacca PoS malware (which we detect as TSPY_FYSNA.A),  which is known to use the Tor network to connect to its command-and-control (C&C) servers.

However, we believe that LusyPOS is more clearly related to Dexter than it is to Chewbacca, despite the usage of Tor. Dexter and Chewbacca have very distinct text strings used within their code. For example, some variable names are used in Dexter’s code which are not found in Chewbacca. Dexter is one of the most popular and long-running PoS malware families, and we closely monitor this particular threat in order to help protect our customers.

We’d earlier documented these names – and their uses – in our previous paper analyzing exiting PoS malware families. Some of the strings that were identified in LusyPOS were also found in Dexter. For example, the following strings are known to be HTTP POST variables used by Dexter:

  • page
  • ump
  • ks
  • opt
  • unm
  • cnm
  • view
  • spec
  • query
  • val
  • var
  • nbsp

Similarly, the following are commands that are known to be processed by Dexter:

  • download
  • update
  • checkin
  • scanin
  • uninstall

The same paper also contains strings used by Chewbacca; however the analysis of LusyPOS did not indicate these strings are present.

So what does this mean? The information suggests that this new LusyPOS malware family is more closely related to Dexter than Chewbacca. It’s possible that LusyPOS may be a new Dexter variant that has copied the TOR behavior of the newer PoS malware family. Considering the recognized threat that Dexter poses, this is a significant addition to the repertoire of existing PoS threats. Such a capability would be welcomed by cybercriminals, particularly during this time of year.

The original researchers note that it would be highly abnormal for PoS systems to connect to the TOR network, which is correct. Appropriate firewalls and other network solutions can be used to spot and block this activity as they are found.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

LusyPOS Malware Seen in Russian Underground Forums

Read more: LusyPOS Malware Seen in Russian Underground Forums

Story added 8. December 2014, content source with full text you can find at link above.