‘PwnPOS’: newly-identified sales-device malware thrives in Windows XP environments
Wed 4 Mar 2015
Trend Micro have identified a new strain of Point-of-Sale (PoS) malware which appears to have been active since at least 2013, and which is likelier to run most successfully in the 32-bit Windows XP systems used by the majority of sales terminals.
Dubbed PwnPOS, the researchers note the malware’s ‘simple but thoughtful construction’, which consists of a RAM scraper binary executable and an exfiltration binary designed to manage and re-communicate extracted data.
The RAM scraper monitors and dumps the infected device’s data throughput, which is then saved and examined by the second binary. The author, threat analyst Jay Yaneza, notes adequate development of the second binary through the various iterations of PwnPOS to ascribe the two sections of the malware to two different authors.
Yaneza observes that the critical PwnPOS executable requires the system path SystemRoot%\system32, since the malicious service installed needs to communicate with C:\WINDOWS\system32\wnhelp.exe –service. On newer 64-bit Windows-based systems, the program cannot execute, due to the difference in expected path-names.
Yaneza observes: “The above-mentioned caveats may be a non-issue since a good majority of PoS terminals are still running on Windows XP and there is no pressing need for 64-bit operating system installations in these kinds of systems,”
The report notes that PwnPOS has been observed operating alongside filial PoS malware strains such as Alina and BlackPOS, and mainly in SMB environments in Japan, India, Australia, North America (The United States and Canada), Romania and Germany.
The PosRAM scraper category of malware [PDF] includes variants such as Decebal, BrutPOS, Chewbacca, VSkimmer, and Dexter, but the variants can have wildly different characteristics, including feigning to be Java, using socially engineered filenames, auto-updating from C&C servers, code injection and multiple exfiltration methods. Commonly this class has a self-removing ‘kill switch’ functionality – one of the characteristics that can hide a new strain from security researchers for an extended period of time, as demonstrated by today’s Trend Micro report.
Microsoft ended support for the Windows XP system in April of 2014, but the 2001-released operating system continues to encourage loyalty – and even take-up – in consumer and professional environments. Last November American cyber threat intelligence firm IntelCrawler identified the ‘d4re|dev1|’ PoS malware, and asserted that many of the case of infection which involved it led on from inappropriate use of the operating system in the sales device.