Researchers are tracking a new version of some point-of-sale malware that has some of the same memory scraping capabilities as other PoS threats, but appears to have been developed specifically for one attacker and is being used in targeted operations against banks and smaller retailers.
The malware is known Treasurehunt and researchers say it has been active for more than a year now. Some recently observed versions have shown some modifications in the way that infected devices communicate with command-and-control servers and store data. Like many other types of PoS malware, Treasurehunt relies on the technique of memory scraping in order to gather important data. Once on a target device, the malware scans running processes and looks for payment card information, which is then extracted and sent back to the attacker.
“In a typical scenario, TREASUREHUNT would be implanted on a POS system through the use of previously stolen credentials or through brute forcing common passwords that allow access to poorly secured POS systems,” Nart Villeneuve of FireEye wrote in an analysis of the malware.
The malware uses a registry key to stay persistent on infected devices and scraped data is sent to C&C servers through an HTTP POST request. Villeneuve said that a relatively small number of samples of Treasurehunt have been seen since it was first observed in late 2014, suggesting that it is used mainly in targeted attacks. There also are some hints in the malware’s code pointing to its provenance.
“The reference to “BearsInc” is an indication that TREASUREHUNT was developed exclusively for a specific cybercrime operation. BearsInc is an actor on an underground cybercrime forum dedicated to credit card fraud. BearsInc has advertised stolen payment card information for sale,” Villeneuve said.
PoS malware has been at the foundation of some of the larger data breaches in recent years, most notably the Target breach. It often is installed through the use of stolen or compromised credentials, and can sometimes serve as a foothold for a larger network infiltration. As Villeneuve points out, attackers are in something of a race to make the most of the PoS malware that they already have in play, thanks to changes to the way payment cards are used in the United States.
“In the world of POS threats, there has been a rise in both underground offerings as well as new malware found in active use. The demand is likely due to the ongoing transition to EMV chip and PIN technology in the United States, which will eventually render these techniques largely useless. While some cybercriminals are looking ahead in an effort to develop ways to exploit chip and PIN (as well as near-field communication technologies), many cyber criminals are looking take advantage of memory scraping POS malware while it still works,” Villeneuve said.
While the changeover to chip-and-pin took place several months ago, many retailers and other businesses, especially smaller ones, have not made the switch yet for one reason or another. The attacker community knows that, and is focusing its attention on those weaker links in the chain.
Image from Flickr stream of Tom Garnett.