The new FighterPOS PoS Malware implements worm capabilities

Pierluigi Paganini February 29, 2016

The threat actors behind the FighterPOS PoS malware have added worm capabilities to their malicious code that is now targeting systems in the United States.

PoS malware represents a serious threat to several industries, from retail to the hotel industry. During the last twelve months, security experts have discovered a significant number of payment card frauds involving the PoS malware. PoS malware is a very effective weapon in the arsenal of cyber criminals;

In April 2015, security experts at Trend Micro discovered a new family of PoS malware, dubbed FighterPOS, that infected the systems of more than 100 organizations in Brazil allowing crooks to steal more than 22,000 unique credit card records.

FighterPOS was offered for sale for more than $5,000 worth of Bitcoins, it is now spreading also outside the Brazil, researchers at TrendMicro reported that the number of infections in the US now represents 6 percent of the total, up from 1 percent reported in April 2015.

fighterpos infections

Cyber criminals have started targeting the United States, the researchers detected new samples of the FighterPOS malware that include strings written in English, instead of Portuguese used in Brazil.

“It is also interesting to note that based on the analysis of their code, the new FighterPOS samples have strings of code written in English, instead of Portuguese. This leads us to speculate that whoever is behind the new versions are operating in English-speaking countries, and are shifting to target other countries like the United States. ” states the analysis published by TrendMicro.

The malware researchers discovered two new strains of the FighterPOS malware called TSPY_POSFIGHT.F and WORM_POSFIGHT.SMFLK. The WORM_POSFIGHT.SMFLK, also known as “Floki Intruder,” in more sophisticated respect the TSPY_POSFIGHT.F, it has the ability to the firewall, User Account Control (UAC) and other Windows protections and it is able to detect the presence of security products using Windows Management Instrumentation (WMI).

The lightweight FighterPOS variant, the TSPY_POSFIGHT.F, doesn’t act as a backdoor and is not able to receive commands. It has been designed to send back to C&C the payment card logs collected by other PoS malware.

The Floki Intruder is spread through websites compromised by attackers, it could be updated receiving packages from the command and control (C&C) servers.

The most interesting improvement for the new strain of the FighterPOS malware is the implementations of worm capabilities. The Floki Intruder variant is able to locate other PoS systems on the same network and infect them. The malware enumerates logical drives and drops copies of itself along with

The malware enumerates logical drives and drops copies of itself and an autorun.inf file using the WMI. The autorun.inf allows the execution of the malware when the logical drive is accessed.

fighterpos autorun

“Perhaps the most notable update Floki Intruder has from FighterPOS is that it is able to enumerate logical drives to drop copies of itself and an autorun.inf by using WMI. Adding this routine, in a way, makes sense: given that it is quite common for PoS terminals to be connected in one network, a propagation routine will not only enable the attacker to infect as many terminals as possible with the least amount of effort, it will also make this threat more difficult to remove because reinfection will occur as long as at least one terminal is affected.” states the analysis.

Pierluigi Paganini

(Security Affairs – FighterPOS malware, cybercrime)



you might also like

leave a comment