Malware specifically designed to reside on point-of-sale systems and steal card data has been a key tool in the arsenals of cybercriminals for many years and PoS malware has been linked to some of the larger data breaches in history. Researchers recently have seen two new strains of PoS malware in use, one of which includes a domain-generation algorithm (DGA) to evade detection and another that is linked to the operator of a separate botnet.
PoS malware comes in all shapes and sizes and there are dozens of different kinds for sale on underground forums and in private transactions. Researchers at Flashpoint have discovered that some attackers recently have been using the DMSniff PoS malware to steal card data from small businesses in both the restaurant and entertainment industries. DMSniff has been in use for a couple of years, at least, but has been sold in private transactions until recently. The Flashpoint researchers say that attackers using the malware likely are compromising target PoS devices through either brute-force SSH attacks or exploiting a known vulnerability.
To help evade detection, DMSniff uses a DGA to generate a number of command-and-control domains quickly, domains that the malware can then use to communicate with the outside world once it’s on a new network.
“The DGA is based on a number of hardcoded values; in the samples researchers have found, the first two characters of the generated domains are hardcoded in the bot. Researchers have found 11 variants of this DGA so far, all structured in the same algorithm, but with variable first two letters and hardcoded multiply values in the algorithm,” Flashpoint’s Joshua Platt and Jason Reaves wrote in an analysis of DMSniff.
“The bot loops through the domain generation while rotating through a list of top-level domains (TLDs)— e.g .in, .ru, .net, .org, .com—until it finds a server it can talk to. The data that was harvested by the bot to create a hostid is then sent off inside the user-agent.”
Botnets and other types of malware have used DGAs for many years, but the technique isn’t nearly as common in PoS malware.
Researchers at Cisco’s Talos Group also came across a new piece of PoS malware, called GlitchPOS, which appears to be connected to a malware author who has been selling other kinds of malware in the past. GlitchPOS is sold on malware forums, and like DMSniff and other PoS malware, it’s designed to steal card data on infected devices before the data is encrypted. The threat actor who is selling GlitchPOS and appears to have created it, also has been seen selling the older DiamondFox malware, which had some PoS capabilities, too.
“In 2017, the DiamondFox malware included a POS plugin. We decided to check if this module was the same as GlitchPOS, but it is not. For DiamondFox, the author decided to use the leaked code of BlackPOS to build the credit card grabber. On GlitchPOS, the author developed its own code to perform this task and did not use the previously leaked code,” Warren Mercer and Paul Rascagneres of Talos said in their analysis of the new malware.
PoS malware has evolved quite a bit over the years, but the basics have remained: infecting PoS devices and stealing card data. Its use has been a remarkably effective tactic for many cybercrime groups, and that’s likely to remain the case for some time.