Fresh POS Malware Strikes Small and Midsize CompaniesGlitchPOS Disguises Itself as a Game Involving Cats; DMSniff Hits Restaurants
A closely held type of point-of-sale malware appears be spreading further, and it uses a resiliency trick borrowed from botnet operators, according to new research from Flashpoint, a threat intelligence firm
Flashpoint's announced its finding Wednesday, the same day as Cisco's Talos intelligence unit described another new type of point-of-sale system malware, GlitchPOS, which disguises itself as a game involving cats.
Flashpoint says that malware, called DMSniff, is hitting small and midsize businesses in the restaurant and entertainment industries. Those industries process physical payment cards for transactions, which makes their associated point-of-sale systems targets for memory-scraping malware, also known as RAM scrapers.
Point-of-sale malware has struck big companies such as Target, Home Depot and many others over the last few years. Those attacks have raised awareness around vulnerabilities in payment systems.
Companies have sought to improve defenses and are required by the card companies to follow the Payment Card Industry's Data Security Standard, or PCI-DSS. But the risks are ever-present and attacks are continuing.
"Point-of-sale malware continues to plague industries such as food services and hospitality where older and unsupported systems remain prevalent," write Jason Reaves and Joshua Platt, both principal threat researchers with Flashpoint. "In these environments where card-present transactions are king, criminals have been relentless in targeting these vulnerable devices."
The emergence of more sophisticated card-scraping malware doesn't bode well for retail companies, which can face steep costs for remediating large breaches. Those costs include forensic investigations, customer outreach, regulatory inquiries and possibly fines from card companies. And despite a surfeit of stolen card details on the black market, efforts to steal more continue (see: Big Dump of Pakistani Bank Card Data Appears on Carder Site).
Botnet Trick Borrowed
Although DMSniff is newly discovered, it likely has been around since 2016, Reaves and Platt write. They suspect, with low confidence, that attackers may be brute-forcing SSH credentials on devices or scanning for other vulnerabilities, leading to an infection.
The malware uses several tricks to maintain persistence and keep a low profile. DMSniff is encoded with a domain generation algorithm, or DGA, which generates an endless pattern of domains. If the malware's creator activates one of those domains, it can be used as a command-and-control server.
That's a technique borrowed from botnet herders. Using DGAs helps maintain a botnet's resiliency. If hosting companies or law enforcement shut down a known C&C node, the malware can call out to a different one. The C&C servers can be frequently rotated, making it difficult to cut off communication to the botnet.
Flashpoint notes that that use of a DGA in POS malware is rare.
"The DGA is based on a number of hard-coded values; in the samples researchers have found, the first two characters of the generated domains are hard-coded in the bot," they write. "Researchers have found 11 variants of this DGA so far, all structured in the same algorithm, but with variable first two letters and hard-coded multiply values in the algorithm.
To help mask its communications with the C&C server, DMSniff uses encrypted strings. "This shields the malware's capabilities from detection, making it difficult for researchers to learn its capabilities," Flashpoint writes.
DMSniff gingerly probes after it infects a POS system. It is coded with a list of process names to avoid and only begins further investigations of ones that may hold promising card data, according to Flashpoint.
"Each time it finds an interesting process, it will loop through the memory sections to attempt to find a credit card number," Reaves and Platt write. "Once a number is found, the bot takes the card data and some of the surrounding memory, packages it and sends it to the C2."
Another Entrant: GlitchPOS
Also on Wednesday, Talos described the GlitchPOS malware, a new RAM scraper.
GlitchPOS was first described in a post on a malware forum last month. It appeared to be for sale by a user - "edbitss" - who is linked to the DiamondFox L!NK botnet, and Talos notes some similarities in control panels.
"We can see that edbitss developed malware years even after being publicly mentioned by cybersecurity companies," Talos writes. "He left DiamondFox to switch on a new project targeting point-of-sale. The sale opened a few weeks ago, so we don't know yet how many people bought it or use it."
A built version of GlitchPOS costs $250; the malware builder costs $600 and a gate address change is $80, Talos writes.
"This investigation shows us that POS malware is still attractive and some people are still working on the development of this family of malware," Talos writes.