Categories: Breaking NewsCyber CrimeMalware

A variant of the Angler Exploit Kit used to infect PoS Systems

Experts at Trend Micro discovered that cyber criminals are exploiting the popular Angler Exploit kit to find and infect PoS systems.

The popular Angler Exploit kit is used by criminal crews to find and infect PoS systems, this is the last disconcerting discovery made by the experts at Trend Micro.

The security researcher Anthony Joe Melgarejo explained that the sophisticated Angler exploit kit is used to target in sophisticated attacks the point-of-sale (PoS) systems, the specific use represents a novelty in the cyber criminal ecosystem. It is the first time that investigators discover a variant of the popular Angler Exploit kit specifically crafted to compromise also PoS platforms.

“An attack aiming to infect PoS systems was found using the Angler Exploit Kit to push a PoS reconnaissance Trojan,This Trojan, detected as TROJ_RECOLOAD.A, checks for multiple conditions in the infected system like if it is a PoS machine or part of a PoS network. It then proceeds to download specific malware depending on the conditions met. We’ve also found that this utilizes the fileless installation capability of the Angler Exploit Kit to avoid detection.” Melgarejo says.

Melgarejo explained that the Angler Exploit Kit often uses malvertising campaign and compromised websites as the starting point for infection.

For the specific attacks against PoS systems, experts at Trend Micro found that the infection chain exploited two Adobe Flash vulnerabilities (CVE-2015-0336 and CVE-2015-3104). Once triggered the flaws the TROJ_RECOLOAD.A malware compromise the target.

“[The] PoS reconnaissance trojan (Troj_Recoload.a) checks for multiple conditions in the infected system such as if it is a PoS machine or part of a PoS network,” added Melgarejo in the blog post. “It then proceeds to download specific malware depending on the conditions met.” “This utilises the fileless installation capability of the Angler Exploit Kit to avoid detection.”

The efficiency of this variant of the popular Angler Exploit kit is improved by the implementation of several anti-analysis tricks, including the shut down in the presence Wireshark network analyzer, virtualizated environments, sandboxing, and known malware probe tool usernames.

Pierluigi Paganini

(Security Affairs – Angler Exploit Kit, PoS systems)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.