NitlovePoS, The New PoS Malware is being spread by Spam

Pierluigi Paganini May 26, 2015

Researchers at FireEye have detected a new strain of point-of-sale (POS) malware being used in the wild and served through a spam campaign.

A new malware called NitlovePoS has the capability of capture and exfiltrate track one and two from payment cards, and to accomplish that it scans the running processes of the infected machine.

FireEye announced that crooks created a new campaign, using emails with subjects as “Any Jobs?”, “Any openings?”, “Internship”, “Internship questions”, “Internships?”, “Job Posting” ,”Job questions” ,”My Resume” ,”Openings?”, and they believe that all started on May 20. Inside the email it exists an attachment named “CV_[4 numbers].doc” or “My_Resume_[4 numbers].doc”,  that looks like a resume but in fact in a malicious macro disguised as a resume.

nitlove 1

If the document is opened and the and macro is enabled, the “malicious macro will download and execute a malicious executable from 80.242.123.155/exe/dro.exe.”

“To trick the recipient into enabling the malicious macro, the document claims to be a ‘protected document’,” said FireEye researchers.

This campaign is on-going yet and the crooks have been updating the payload so keep pay attention to any suspect e-mails.

“We focused on the “pos.exe” malware and suspected that it maybe targeted Point of Sale machines,”We speculate that once the attackers have identified a potentially interesting host form among their victims, they can then instruct the victim to download the POS malware. While we have observed many downloads of the various EXE’s [hosted] on that server, we have only observed three downloads of “pos.exe”.” added FireEye researchers. 

When infect the machine, the malware will add itself into the registry key to ensure that it will be able to run again after a reboot.

“NitlovePOS expects to be run with the “-” sign as argument; otherwise it won’t perform any malicious actions,””This technique can help bypass some methods of detection, particularly those that leverage automation.”

“If the right argument is provided, NitlovePOS will decode itself in memory and start searching for payment card data,” “If it is not successful, NitlovePOS will sleep for five minutes and restart the searching effort.”

NitlovePoS is not the only a POS malware “out there”, and since the beginning of 2015 many others PoS malware have benn seen, malware such Punkey and FighterPOS.

It’s important to say to the reader that there are some solutions that have been doing very good in protecting point-of-sale environments, and I am talking about the next-generation firewalls, since its enforces the network segmentation,

“The key advantage that NGFW (next-generation firewalls) provides for network segmentation is application servers and data can be designated in different segments based on their risk factors and security classifications, with access to them tightly controlled,”.

As a conclusion, please keep in mind that most probably until the end of 2015 we will see an increased in incidents related with POS malware incidents where data exposure was successful and

“Due to the widespread use of POS malware, they are eventually discovered and detection increases. However, this is followed by the development of new POS with very similar functionality. Despite the similarity, the detection levels for new variants are initially quite low. This gives the cybercriminal s a window of opportunity to exploit the use of a new variant. We expect that new versions of functionally similar POS malware will continue to emerge to meet the demand of the cybercrime marketplace.”

About the Author Elsio Pinto

Elsio Pinto (@high54security) is at the moment the Lead Mcafee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog http://high54security.blogspot.com/

Edited by Pierluigi Paganini

(Security Affairs – NitlovePoS , POS Malware)



you might also like

leave a comment