New “PoSeidon” POS Malware Spotted in the Wild

(Ping! Zine Web Hosting Magazine) – A new POS malware has been spotted in the wild by CISCO, that is, allegedly, more sophisticated and nasty than previously seen POS malware. The “PoSeidon” malware is built on the shoulders of Zeus, and sports improvements to BlackPOS which plundered millions from Target payment terminals in 2013. It scrapes memory from POS terminals, siphoning the captured card data off to Russian domains for likely resale, Cisco says. PoSeidon contains a loader that maintains persistence on infected boxes to survive reboots and user log-outs. A subsequently downloaded binary FindStr implants a keylogger which scans memory in pursuit of credit card number sequences. Identified numbers are verified using the Lund algorithm and encrypted and shipped off to one of a dozen hardcoded command and control servers.

Richard Cassidy, technical director EMEA, Alert Logic

“ePOS systems remain a top target for hacker cells and we’ve already seen a great deal of variants of many successful ePOS malware programs this past 12 months. The groups behind these threats are well aware that organizational IT & Security teams are up against a monumental challenge in terms of managing the security and data transaction estate with a great deal of effort being focused on achieving compliance more than can be afforded on effective security practices. This gives attackers a greater window of opportunity than ever before and the challenge is only becoming greater for businesses.

This isn’t to say that organizations aren’t focusing time on security monitoring and response capabilities; it’s simply a case that the data analysis needed (log, traffic flows, application transactions and user activity) for effective security insights and protection is proving so great, that security teams are finding It increasingly difficult focus the time and effort needed to detect directed malware activity of the ilk of “PoSeidon”. The fact that this particular malware now implements a keystroke logger, is interesting on two fronts; first it means that its threat footprint is easier to detect and secondly it shows that this particular malware may not have been written to stand the test of time as we’ve seen with more cleverly designed malware such as the infamous BlackPOS malware application that hit Target back in 2013. The hardcoded domain names should offer some instant help in detecting data exfiltration attempts, however good old fashioned security practices on locking down data transfers from key financial systems to only trusted destinations, will make it more difficult for attackers to get the data back to its intended destination.

The challenge is that if we continue as businesses to deploy more and more security systems, we’re going to bury ourselves deeper into content output that we simply cannot analyze effectively enough to stay one step ahead of the new threats released by very well resourced and talented hacker cells. Overall organizations need to look at how they can more effectively build big data analytics and deeper security insight knowledge into their own security processes, perhaps this is where cloud based solutions can offer instant gratification and immediate outcomes from security and compliance perspective.”

Adam Winn, manager, OPSWAT

“The use of hard-coded C&C server addresses is very surprising. With the apparent effort that went into building this malware, it would seem a marginal investment to code-in a dynamic C&C server address mechanism. This implies a few possibilities:

  1. The coders aren’t as sophisticated as the rest of the packaging implies
  2. This is a one-time attack with no plans of re-use (unlikely)
  3. This was simply a proof of concept or first attempt, and we should expect to see variants soon with new batches of C&C addresses coded-in”

Chandra Sekar, Sr. Director of Product Strategy, Illumio

“While the new malware includes abilities to survive reboots and user logouts at PoS terminals, the techniques used continue to exploit the “soft-and-chewy” insides of enterprise data centers that rely mainly on perimeter protection. Enterprises continue to fall victim to the phenomenon that Illumio calls the “paradox of the perimeter” – spending 80% of their security dollars to secure 20% of the traffic. A vast majority of the data traffic that happens inside the data centers is under-protected and hackers that have made their way past porous perimeter defenses take advantage of this situation.

Retailers and enterprises handling sensitive credit card information need to consider the following steps to deter hackers from exploiting PoS systems.