PoS malware d4re|dev1| is also targeting Mass Transit Systems

Security experts at IntelCrawler discovered a strain of PoS malware that is also targeting ticket vending machines and electronic kiosks.

IntelCrawler cyber threat intelligence firm has detected a new strain of Point-of-Sale malware called “d4re|dev1|” (read dareldevil), which is used by cyber criminals to infect ticket vending machines and electronic kiosks.

The experts discovered new POS malware infecting Mass Transit Systems, the malware appears as a sophisticated backdoor, which allows remote control of victims.  d4re|dev1| implements the functionalities of RAM scrapping and keylogging features exactly like any other POS malware.

The experts at IntelCrawler explained that d4re|dev1| is able to steal data from several PoS systems, including QuickBooks Point of Sale Multi-Store, OSIPOS Retail Management System, Harmony WinPOS and Figure Gemini POS.

The number of data breaches cause by cyber attacks based on POS malware is increased significantly in the last year, the retail industry is the most targeted sector.

IntelCrawler reports that cybercriminals also compromised ticket vending machines used by mass transportation systems and electronic kiosks installed in public areas. One of the infected ticket vending machine was identified in August in Sardinia, Italy, and attackers obtained the access exploiting credentials for a VNC (Virtual Network Computing).

“These kiosks and ticket machines don’t usually house large daily lots of money like ATMs, but many have insecure methods of remote administration allowing for infectious payloads and the exfiltration of payment data in an ongoing and undetected scheme,” states IntelCrawler.

In a classic attack scenario, threat actors used to compromise the targeted POS by discovering the remote administrative credentials, for example through a brute force attack.

Researchers at IntelCrawler believe that attackers use this tactic to compromise the POS systems, anyway the d4re|dev1| malware also allows operators to remotely upload files to the victim’s machine, in this way the attacker can provide updates to code or to serve additional payloads for lateral movement inside the local network.

“The malware has a “File Upload” option, which can be used for remote payload updating. The process of malware was masked under “PGTerm.exe” or “hkcmd.exe”, as well as legitimate names of software such as Google Chrome. Adversaries use this option for the installation of additional backdoors and tools, which allows them to avoid infrastructure limitations and security policies designed for detection.” said InterCrawler.

The experts observed that enterprise wide network environments represent the privileged target for cyber criminals.

“Serious cybercriminals are not interested in just one particular Point-of-Sale terminal—they are looking for enterprise wide network environments, having tens of connected devices accepting payments and returning larger sets of spoils to their C2 [command-and-control] servers,” states the blog post published by IntelCrawler.

The experts at InterlCrawler highlight that the employees of breached companies commonly violated security policies, for example is very common that they used the terminals to navigate on the web, check their email, to access social network accounts and play online games.

The experts recommend using a secure connection for administrative activities and limit the software environment for operators,” using proper access control lists and updated security polices”.

Pierluigi Paganini

(Security Affairs –  POS Malware, WinCC, d4re|dev1|)