Trustwave analyzed of point-of-sale malware

Experts at Trustwave analyzed point-of-sale malware providing data related principal code used, exfiltration and persistence techniques implemented.

Trustwave firm as published an interesting report on the point-of-sale malware based on its investigation on different breaches involving payment card data. The experts at Trustwave have examined a large amount of malware that targets point-of-sale devices, this family of malicious code is specifically designed to steal the sensitive information stored in the magnetic stripe of a payment card. Point-of-sale malware are able to steal data from directly from PC memory or from the disk of the infected machine. According to Trustwave 2013 was characterized by the evolution of POS malware, a growth never seen before. The experts notices in particular new developments in data exfiltration techniques,also the command and control (C&C) functionality were substantially improved, for example with the used of Tor networks.

“We also saw evidence of more authors automating the installation and control of their malware in 2013. While Trustwave discovered a number of new POS malware families exhibiting botnet-like tendencies, a number of well-known, older families also made an appearance.” states the post published by Trustwave.

 

 

The Alina malicious code was the malware family most prevalent (19,1) within the cases investigated by Trustwave, followed by Baggage (16,5%) and Triforce (11,2%). Other point-of-sale malware families used by the criminals gangs worldwide were Blackpos, Dexter and ChewBacca.

The report also provides further information on the principal POS malware, Dexter was considered singular for its memory dumping functionality, because it performs process-injection, logs keystrokes and includes a C&C structure. Another significant point-of-sale malware family is Chewbacca, which implemented an exfiltration mechanism over the Tor network which host C&C servers.

“Debuting in late 2012, Alina surprised many, because it was one of a small number of POS malware families that included a C&C structure, encrypted the data it exfiltrated, blacklisted common Windows processes and installed itself to a randomly chosen name.”

As reported in the report, in many cases, cyber criminals used commercial keyloggers to infect the POS systems,  a common characteristic of all the POS malware families is the lack of encryption for exfiltrated data. The “exclusive OR” (XOR) operation is the encryption technique most used by the malware authors (32%) followed by Blowfish (3,7%).

Analyzing the exfiltration methods used by point-of-sale malware, the experts discovered that in the majority of cases (41%) the attackers don’t adopt a C&C infrastructure, but they leave the stolen data on disk to be extracted manually later. HTTP is the the second exfiltration technique (29%) followed by SMTP (22%).

The report ends with a look to the POS malware persistence mechanisms, that like the exfiltration techniques,  did not change significantly from 2012 to 2013. The point-of-sale malware analyzed maintained persistence in one of the following ways:

• Run Registry Modification (53.2%)
• Installed as a Service (30.9%)
• AppInitDLLs Registry Modification (0.5%)
• None (14.9%)

Pierluigi Paganini

(Security Affairs –  point-of-sale malware, cybercrime)