Monday, January 24, 2022

New PoS malware found, says Cisco

As if retailers don’t have enough woes because of persistent cyber attacks in the last 24 months, now comes word of a new threat.

Cisco Systems’ Talos Security group has warned there’s a new family of malware that attacks Windows-based point of sale (PoS) systems circulating  that can scrape memory for credit card information. Cisco dubs the new malware family PoSeidon.

The malware includes a keylogger component that could steal passwords and therefore be the initial point of compromise.

Cisco says the attack starts with a loader binary that will first try to maintain persistence on the target machine in order to survive a possible system reboot. Upon being run, loader checks to see if it’s being executed with one of these two file names:

  • WinHost.exe
  • WinHost32.exe

If it is not, it will make sure that no Windows service is running with the name WinHost. Loader will copy itself to %SystemRoot%\System32\WinHost.exe, overwriting any file in that location that would happen to have the same name. Next, it will start a service named WinHost so it remains running in memory even if the current user logs off.

The loader then contacts a command and control server, retrieving a URL which contains another binary to download and execute. The downloaded binary, a file called FindStr, installs the keylogger and scans the memory of the PoS device for number sequences that could be credit card numbers. Upon verifying that the numbers are in fact credit card numbers, keystrokes and credit card numbers are encoded and sent to an exfiltration server.

Graphic from Cisco Systems
Graphic from Cisco Systems

“Attackers will continue to target PoS systems and employ various obfuscation techniques in an attempt to avoid detection,” says the Cisco [Nasdaq: CSCO] alert. “As long as PoS attacks continue to provide returns, attackers will continue to invest in innovation and development of new malware families. Network administrators will need to remain vigilant and adhere to industry best practices to ensure coverage and protection against advancing malware threats.

Only two weeks ago Trend Micro announced it had found a new PoS malware family that used mailslots for communications.

“We encourage organizations to consider security best practices, starting with a threat-centric approach. Given the dynamic threat landscape, we advocate this threat-centric and operationalized approach that implements protections across the extended network – and across the full attack continuum – before, during, and after an attack. This approach is predicated upon superior visibility, continuous control, and advanced threat protection across the extended network and the entire attack continuum.”

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

After being all-digital last year, the Consumer Electronics Show is back in Las Vegas for 2022. Find all the latest news and announcements from the showroom floor at CES 2022.

Related Tech News