New evolutions of malware , which are specifically designed to steal credit card details, have been discovered, just in time for Christmas. It appears that VXers (virus writers) aim to target retail POS (point of sale) cash registers during the busy Thanksgiving and Christmas shopping periods.
One of the malware specimens discovered by a Trustwave researcher, is Cherrypicker. Surprisingly it is an old favourite that has been doing the rounds since 2011. However, this is not just the Cherrypicker of old, it has been refurbished with some new features.
This new revised version of Cherrypicker is due to VXers becoming more adept at reusing their old but successful virus code and are now adding more advanced features that allow the malware to avoid detection via more robust anti-detection and analysis mechanisms. In addition, this new version of Cherrypicker also comes coupled with better credit and debit card ripping techniques, which after all is its purpose in life.
The VXers have also added another notable change in that Cherrypicker code now has more robust persistence mechanisims, which allows it to wipe any trace of its presence after an attack. It can do this through rewriting files - perhaps multiple times to hide its tracks - but it can also remove any trace of the transfer of the credit card details back to the VXer’s home location.
Another specimen found on several POS systems by Proofpoint researcher’s was the AbaddonPOS malware. Of real interest here was that AbaddonPOS was being downloaded as malicious payload after a Vawtrack infection. This is not something new as VXers have been using multi-payload attacks for sometime, but it is not a common technique when targeting POS terminals.
This would indicate that VXer’s are seeing card payments at POS terminals as a potentially lucrative field and it will be a major challenge to counter their attacks, especially now that card payments have become more common through swipe and near field recognition.
Image Credit: Sergey Nivens/Shutterstock