New PoS Malware Kicks off Holiday Shopping Weekend

We are currently looking into a new point-of-sale (PoS) malware family detected as TSPY_POSLOGR.K, which is making the rounds just in time for this year’s holiday shopping weekend.

Around this time last year, the U.S. retailer Target suffered one of the largest data breaches in history in a targeted attack that used the BlackPOS malware, a PoS RAM scraper malware family. Cybercriminals gathered roughly 40 million credit and debit card numbers as well as 70 million personal records of Target shoppers. Home Depot also suffered recently from a data breach, which has so far cost the hardware mart more than $43 million in expenses to investigate the breach.

TSPY_POSLOGR.K: In the Beta Testing Phase?

Based on our initial analysis, this new PoS malware does not connect to any server to exfiltrate the dumped data. TSPY_POSLOGR.K reads memory from specified processes written in the .INI file and saves gathered dump to rep.bin and rep.tmp.

Figure 1. In the case of TSPY_POSLOGR.K, dumped data is placed in rep.bin and rep.tmp. The word ‘FUCK’ is inserted in front of the data.

Based on the other PoS malware behaviors we observed, it appears to be designed as multicomponent malware similar to an earlier BlackPOS variant named TSPY_MEMLOG.A, as it might require another component to retrieve the dumped data. It is highly possible that this is deployed as a package.

The malware is dependent on its configuration file (which means that it’s starting to build flexibility). By default, the configuration file named as 1.ini is not present in the system, so we cannot tell which default processes are being scanned or read. The malware also does not display any known C&C communications and still has debug strings in its code. Because of this, we believe that this PoS malware is still in the beta testing stage or under development.



Figure 2. Code snippet of debug strings used

Figure 3. Expected content of the .INI file: Values of cryp , time, proc

We will continue to monitor this threat for more updates. In the meantime, users can stay safe online during the holiday shopping weekend by following the tips in the articles below:

Read more about PoS RAM Scraper Malware from our paper titled “PoS RAM Scraper Malware: Past, Present, and Future.”

With additional input and analysis by Rhena Inocencio

Hat tip goes out to Nick Hoffman of 

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

New PoS Malware Kicks off Holiday Shopping Weekend

Read more: New PoS Malware Kicks off Holiday Shopping Weekend

Incoming search terms

Story added 27. November 2014, content source with full text you can find at link above.