New PoS malware found, says Cisco

As if retailers don’t have enough woes because of persistent cyber attacks in the last 24 months, now comes word of a new threat.

Cisco Systems’ Talos Security group has warned there’s a new family of malware that attacks Windows-based point of sale (PoS) systems circulating  that can scrape memory for credit card information. Cisco dubs the new malware family PoSeidon.

The malware includes a keylogger component that could steal passwords and therefore be the initial point of compromise.

Cisco says the attack starts with a loader binary that will first try to maintain persistence on the target machine in order to survive a possible system reboot. Upon being run, loader checks to see if it’s being executed with one of these two file names:

  • WinHost.exe
  • WinHost32.exe

If it is not, it will make sure that no Windows service is running with the name WinHost. Loader will copy itself to %SystemRoot%\System32\WinHost.exe, overwriting any file in that location that would happen to have the same name. Next, it will start a service named WinHost so it remains running in memory even if the current user logs off.

The loader then contacts a command and control server, retrieving a URL which contains another binary to download and execute. The downloaded binary, a file called FindStr, installs the keylogger and scans the memory of the PoS device for number sequences that could be credit card numbers. Upon verifying that the numbers are in fact credit card numbers, keystrokes and credit card numbers are encoded and sent to an exfiltration server.

Graphic from Cisco Systems
Graphic from Cisco Systems

“Attackers will continue to target PoS systems and employ various obfuscation techniques in an attempt to avoid detection,” says the Cisco [Nasdaq: CSCO] alert. “As long as PoS attacks continue to provide returns, attackers will continue to invest in innovation and development of new malware families. Network administrators will need to remain vigilant and adhere to industry best practices to ensure coverage and protection against advancing malware threats.

Only two weeks ago Trend Micro announced it had found a new PoS malware family that used mailslots for communications.

“We encourage organizations to consider security best practices, starting with a threat-centric approach. Given the dynamic threat landscape, we advocate this threat-centric and operationalized approach that implements protections across the extended network – and across the full attack continuum – before, during, and after an attack. This approach is predicated upon superior visibility, continuous control, and advanced threat protection across the extended network and the entire attack continuum.”

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now