As more and more transactions are carried out electronically, point of sale systems become an ever more tempting target for cyber criminals. Security researchers at networking company Cisco have identified a new strain of PoS malware that seeks to extract credit card data from memory and send it to remote servers.
Named PoSeidon, it has a more sophisticated design than other PoS malware and has some resemblance to ZeuS. It's written to evade detection, can communicate directly with C&C servers, self-update to execute new code and has self-protection mechanisms to guard against reverse engineering.
The infection starts with a loader binary that, when executed, will try to gain persistence on the target machine in order to survive a system reboot. It does this by hiding itself in a process named WinHost32 and adding an entry to the registry.
The loader then contacts a command and control server, retrieving a URL containing another binary to download and execute. Once downloaded the binary, FindStr, installs a keylogger and scans the memory of the PoS device for any number sequences that could be credit card numbers. Once it's verified that the digits it's found are in fact credit card numbers, both keystrokes and card numbers are encoded and sent to a server.
Cisco's blog says that PoSeidon is evidence of the growing sophistication of PoS malware attacks. It also notes that this is likely to be part of a long-term campaign against such systems. "As long as PoS attacks continue to provide returns, attackers will continue to invest in innovation and development of new malware families. Network administrators will need to remain vigilant and adhere to industry best practices to ensure coverage and protection against advancing malware threats".