New GamaPoS Malware served by the Andromeda Botnet

Pierluigi Paganini July 17, 2015

The experts at Trend Micro discovered GamaPoS, a new PoS malware that is spread through the Andromeda botnet in the US and Canada.

GamaPoS is the name of the last PoS malware used by criminal crews to steal credit card data from the memory of payment systems. Security experts at Trend Micro discovered which discovered the GamaPoS malware explained that it is distributed by a large botnet known as Andromeda, which has been around since 2011.

“We discovered GamaPoS, a new breed of point-of-sale (PoS) threat currently spreading across the United States and Canada through the Andromeda botnet .states Trend Micro in a blog post.

The experts found systems infected in the US and Canada, the malware that targets Windows systems is written in Microsoft’s.

TROJ_GATAK infection count per region

NET. Researchers explained that the choice of .Net is unusual for RAM scraping PoS malware.

The experts noticed that hackers have chosen to spread the malware through a botnet instead by stealing or guessing remote access credentials in response to countermeasures implemented by many retailers. Many organizations, in fact, have improved the security of their systems protecting internal resources from remote attacks.

Bad actors have used a botnet in order to infect machines worldwide, including machines inside the trusted internal networks of target organizations.

Trend Micro reported that the attacks start with spam messages containing malicious emails purporting to include PCI DSS (Payment Card Industry Data Security Standard) compliance documents or software updates necessary to protect systems from the recently discovered MalumPs malware. The attachments contain malicious macros that install the backdoor on the infected PC that is used to serve the GamaPoS.

“This means that it launches a spam campaign to distribute Andromeda backdoors, infects systems with PoS malware, and hopes to catch target PoS systems out of sheer volume. Rough estimates show us that GamaPOS may have only hit 3.8% of those affected by Andromeda.” continues the post.

The experts also discovered that threat actors used the backdoor to download tools that can be used to to manually hack other systems from the networks of affected organizations and make lateral movements .

The experts detected infected systems in a number of industries, including home health care, online retail and consumer electronics.

GamaPoS targets a range of cards, including Visa and Discover, their users are exposed to the risk of hack.

“While the evaluated example does not do Luhn validation, GamaPoS does manually filter the data by evaluating the first few numbers of the scraped data.

  • 4 (length=12) – Visa
  • 56 to 59 (length=14) – Maestro and other ATM/debit cards
  • 6011 (length=12) – Discover Card
  • 65 (length=14) – Discover

Finally, it would attempt to upload the collected data via the command-and-control server that has been selected during initial execution.” states the post.

Pierluigi Paganini

(Security Affairs – GamaPoS PoS malware, cybercrime)

you might also like

leave a comment