HackDig : Dig high-quality web security articles for hacker

New MalumPoS Malware Is Versatile, Can Be Configured for Any PoS System

2015-06-08 16:20

Cybercriminals created a new point-of-sale malware that can be set up to collect card data from multiple payment processing systems, making it one of the most flexible threats in its category.

Dubbed MalumPoS by security researchers at Trend Micro, the new malware piece is currently aimed at PoS systems powered by Oracle MICROS, a platform mostly found at hospitality and retail businesses.

Data collected from at least five types of cards

Once on the target machine, the behavior of MalumPoS is similar to that of other PoS malware, as it starts searching for payment card information in the processes running in the memory of the system. To avoid detection, the malware poses as the NVIDIA Display Driver and installs as a service.

According to Trend Micro, the malware can sift through up to 100 running processes and relies on regular expressions to determine if the data matches details from a card or not.

Since the information required for financial transactions is available on two tracks on a card’s magnetic stripe, there is a different regular expression for each of them.

The information scraped from the RAM is stored in an encrypted file, whose name (nvsvc.dll) makes it look as if it were part of NVIDIA drivers, so that it does not raise any suspicion.

Analysis of the malware shows that it searches for data from Visa, MasterCard, American Express, Discover Cards, Diner’s Club, and some cards issued by JCB (Japan Credit Bureau).

MalumPoS lacks data exfiltration capability

Trend Micro says that MalumPoS also targets Oracle Forms, Shift4 systems, as well as those accessed via Internet Explorer, most of them being available in the US. But given its versatility, the threat can be modified to add new payment processing units as well as cards from other companies.

The research from the security firm shows that MalumPoS shares similarities with a threat of the same kind, called Rdasrv.

One commonality, apart from using the same regular expression, is lack of data exfiltration capabilities, which suggests that the information is collected using a different piece of malware. However, a clear connection between the two cannot be highlighted.

On the other hand, researchers say that the operators of MalumPoS had information about the target before infecting it because they were able to customize binaries, "plant them within the target's environment, and manually collect the stored data."


Source: GdhNnclZVLzlWLlJXY3xWYN1yUvBVb1xWYN1ydl50LzdXZu9SbvNmLhlGZlBHdm92cuM3dl52LvoDc0RHa/ca.ssr.dps

Read:1325 | Comments:0 | Tags:Security

“New MalumPoS Malware Is Versatile, Can Be Configured for Any PoS System”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud