Dexter Malware, the rise of malware that hits point of sales

Security experts at Arbor Networks have found a couple of servers used to arrange a malicious campaign against PoS with Dexter malware.

At the end of 2012, Israel based company Seculert  notified about Dexter malware, used for parsing memory dumps of specific POS software related processes, looking for Track 1 / Track 2 credit card data.

Dexter campaigns hit hotels, restaurants and big retailers in 40 countries, most of them located in the US and the UK.

The Dexter point-of-sale malware is still active in Russia, the Middle East and Southeast Asia, but it is not the unique malware designed to menace the world of payment, early 2013 Group-IB detected a new POS malware “DUMP MEMORY GRABBER” a few months after the detection of similar agents like vSkymmer and Project Hook.

Recently my colleagues at IntelCrawler have discovered a huge credit card fraud realized with a point-of-sale botnet mainly based on compromised machines belonging to US merchants.

These malware despite appearing very alarming during holiday shopping days, are very effective during all the year. Malware like Dexter and Project Hook are used by cybercriminals to infect computers hosting PoS software and capture data from each payment operation, the malicious software is used to substitute physical skimmer usually adopted by criminals.

Last discovery was made by a group of researchers at Arbor Networks that has found in November two servers hosting the Windows-based Dexter malware, Arbor Networks senior research analyst Curt Wilsonrevealed that during monitoring activity its team saw 533 infected endpoints call back to the command and control infrastructure that are no longer on line.

Arbor experts haven’t discovered when the infections are started, it is likely that the attack was started with a classic spear phishing attack that lured victims to compromised websites hosting Dexter malware or the attackers exploited the knowledge of the default settings of targeted systems.

The security firm has reported the discovery to the Financial Services Information Sharing and Analysis Center (FS-ISAC) and of course to law enforcement.

“The way the attackers had the server set up, we saw credit card data posted to the site,” “The attackers were clearing the log files periodically, so there’s no telling how long these campaigns have been ongoing.” said Wilson.

Arbor experts have identified three different versions of Dexter:

• Stardust, that represents substantially the original version.
• Millenium.
• Revelation, the newest instances that implement data transfer also over FTP.

Once collected dumps of credit card data, cyber criminals sale them on the black market to allow other criminals to produced cloned cards.

“This data will most likely be used by cybercriminals to clone credit cards that were used in the targeted POS system.”

Point-of-sale systems are privileged targets for cybercriminals, in the majority of cases these systems are not dedicated PoS servers and they are poorly protected.

“The data being exfiltrated that we’ve seen suggests that the compromised machines are doubling up functions and running point of sale on a machine doing something else. PoS machines should be dedicated, locked down and have special policies applied to it,”“That’s a bad practice to pile so much on one system.  An attacker with access to credit card data would also have access to anything else the management system has access too.” Wilson said.

Fortunately, as confirmed by Wilson, it is possible to use defense systems able to recognize the presence of Dexters including basic antimalware that should catch the process-injection techniques used here.

No doubts, the number of malware used to steal data from PoS will increase in the next months, that’s the time to think seriously of the security level of systems so critical for the business.

Pierluigi Paganini

(Security Affairs –  Dexter, Malware)