Researchers at Trend Micro have identified a new strain of the NewPosThings point-of-sale (PoS) malware. The new variant of NewPosThings malware is a 64-bit version of NewPosThings, a point-of-sale (PoS) malware discovered by experts at Arbor Networks in September 2014. The experts confirmed that the malware had been in development since October 2013, since then many variants were detected in the wild, including last variant that was designed for 64-bit architectures.
The most recent variant, NewPosThings 3.0, implements a custom packer and new anti-debugging mechanisms.
NewPosThings malware was designed to steal payment card data and other sensitive information from the targeted machine through memory scraping, it has also the ability to harvest user input.
The NewPosThings variant, coded as TSPY_POSNEWT. SM, installs itself on the victim’s machine using different names that appear familiar to the users, including javaj.exe, vchost.exe, dwm.exe, ism.exe and isasss.exe.
As explained in the analysis published by TrendMicro, the choice of the name is not casual, but it is the result of an algorithm that calculate in based on information related to the infected machine like its name and the volume serial number.
To obtain persistence on the target, NewPosThings used a registry entry with the name “Java Update Manager”.
Once infected the target, the NewPosThings starts gathering sensitive data, including passwords for virtual network computing (VNC) software such as UltraVNC, RealVNC, WinVNC, and TightVNC. Then, the malware disables the warning messages used by the OS for certain file extensions, including .exe,.bat,.reg and .vbs. .exe,.bat,.reg and .vbs.
“Disabling the Open File Security Warning of Microsoft Windows reduces the overall security posture of the Microsoft Windows host operating system. This is because the system no longer prompts the user for validation when opening up files that could have been downloaded from malicious sources,” states the blog post published by Trend Micro.
The NewPosThings checks the presence of financial software on the target machine, when it recognizes the associated process it search for patterns that could be associated with credit/debit card numbers and like other malware uses the Luhn algorithm to validate the data.
The same algorithm was used for card number validation by recently discovered PoSeidon and Soraya malicious codes.
NewPosThings transfers data to the command and control (C&C) server every 10 minutes. The collected data is sent to the server via HTTP.
Among the C&C servers used by the malware authors there are also IP addresses associated with two US airports.
“While analyzing the C&C servers used by the PoS Trojan, experts identified IP addresses associated with two airports in the United States. Trend Micro PoS Trojan, experts identified IP addresses associated with two airports in the United States. Trend Micro warned that travelers will be increasingly targeted and that airports are a target-rich environment.”
No doubts, PoS malware is becoming even more popular in the criminal underground and expert expect a spike in their use in the next months.
(Security Affairs – NewPosThings, PoS malware)