A variant of the Angler Exploit Kit used to infect PoS Systems

Experts at Trend Micro discovered that cyber criminals are exploiting the popular Angler Exploit kit to find and infect PoS systems.

The popular Angler Exploit kit is used by criminal crews to find and infect PoS systems, this is the last disconcerting discovery made by the experts at Trend Micro.

The security researcher Anthony Joe Melgarejo explained that the sophisticated Angler exploit kit is used to target in sophisticated attacks the point-of-sale (PoS) systems, the specific use represents a novelty in the cyber criminal ecosystem. It is the first time that investigators discover a variant of the popular Angler Exploit kit specifically crafted to compromise also PoS platforms.

“An attack aiming to infect PoS systems was found using the Angler Exploit Kit to push a PoS reconnaissance Trojan,This Trojan, detected as TROJ_RECOLOAD.A, checks for multiple conditions in the infected system like if it is a PoS machine or part of a PoS network. It then proceeds to download specific malware depending on the conditions met. We’ve also found that this utilizes the fileless installation capability of the Angler Exploit Kit to avoid detection.” Melgarejo says.

Melgarejo explained that the Angler Exploit Kit often uses malvertising campaign and compromised websites as the starting point for infection.

For the specific attacks against PoS systems, experts at Trend Micro found that the infection chain exploited two Adobe Flash vulnerabilities (CVE-2015-0336 and CVE-2015-3104). Once triggered the flaws the TROJ_RECOLOAD.A malware compromise the target.

“[The] PoS reconnaissance trojan (Troj_Recoload.a) checks for multiple conditions in the infected system such as if it is a PoS machine or part of a PoS network,” added Melgarejo in the blog post. “It then proceeds to download specific malware depending on the conditions met.” “This utilises the fileless installation capability of the Angler Exploit Kit to avoid detection.”

The efficiency of this variant of the popular Angler Exploit kit is improved by the implementation of several anti-analysis tricks, including the shut down in the presence Wireshark network analyzer, virtualizated environments, sandboxing, and known malware probe tool usernames.

Pierluigi Paganini

(Security Affairs – Angler Exploit Kit,  PoS systems)