New PoS Malware LockPoS emerges in the threat landscape

Pierluigi Paganini July 13, 2017

A newly discovered Point of Sale (PoS) malware dubbed LockPoS appeared in the wild and it is being delivered through the Flokibot botnet.

A newly discovered Point of Sale (PoS) malware is being delivered via a dropper that is manually loaded and executed on the targeted systems, Arbor Networks Security researchers warn.

Arbor Networks researchers discovered a new Point of Sale (PoS) malware, dubbed LockPoS, in the threat landscape.

LockPoS uses command and control (C&C) infrastructure used by the Flokibot against Brazilian users.

The Floki bot is a banking Trojan based on Zeus that has been sold on cybercrime underground since September 2016. The malware was developed starting from the Zeus source code that was leaked in 2011, it is offered for $1,000 worth of bitcoins.

The experts from Flashpoint who discovered it in the wild in December speculated that the Floki Bot has a Brazilian origin, the threat actor behind the malware was using the “flokibot” moniker and communicated in Portuguese. It targeted Brazilian IPs and domains and targeted systems having default language set to Portuguese.

The LockPoS the malware has been compiled in late June and to use a dropper that injects the malicious code directly into the explorer.exe process.

The malware has to be manually loaded and executed, then the dropper continues by extracting a resource file from itself that contains multiple components that are injected into explorer.exe. and that works as a second-stage loader. Next, the malicious code decrypts, decompresses, and loads the final LockPoS payload.

LockPoS implements a regular “registry run” method for persistence and obfuscates important strings using XOR and a key of “A”.

“LockPoS uses the regular “registry run” method for persistence. It obfuscates important strings using XOR and a key of “A”. An initial configuration (which includes the C2 URL) is stored unencrypted as a resource named “XXXX”:” states the analysis.

“C2 communications are via HTTP and using a very telling User-Agent. “

The malware’s communication with the C&C server via HTTP,once infected a machine, it sends back to the server several information including username, computer name, and bot ID, Bot version (, CPU, Physical memory, Display devices, Windows version and architecture, and MD5 hash of currently running sample.

“The malware’s PoS credit card stealing functionality works similarly to other PoS malware: it scans the memory of other running programs looking for data that matches what credit card track data looks like. Here’s a snippet of the matching function,” continues the analysis. 


The LockPoS has been distributed via a Flokibot botnet, it is likely by the same threat actors that is focused on Brazilian users.

Experts highlighted that hackers used the same C&C at treasurehunter[.]at was used in another PoS malware campaign spotted by FireEye last year and tracked as TreasureHunt.

Arbor Networks explained that the LockPoS is a totally different malware family from TREASUREHUNT.

“One thing to note about the analyzed C2 server (treasurehunter[.]at) is that there is a name overlap with another PoS malware that FireEye wrote about in 2016 called TREASUREHUNT. Based on their research on its C2 communications, panel, and other IoCs it looks like LockPoS and TREASUREHUNT are separate families.”

“It is currently unclear whether LockPoS is an exclusive malware associated with one threat actor or whether it will be sold on underground forums like Flokibot was.’, continues the analysis.

[adorate banner=”9″]

Pierluigi Paganini 

(Security Affairs – LockPoS, PoS malware)

[adrotate banner=”13″]

you might also like

leave a comment