New BlackPOS variant masquerades as AV service

Status
Not open for further replies.

Petrovic

Level 64
Thread author
Verified
Honorary Member
Top Poster
Well-known
Apr 25, 2013
5,354
Before the Backoff point-of-sale malware receiveddeserved attention, the main player in the PoS malware field was BlackPOS (or Kaptoxa), the memory-scraping malware that was used in the Target breach.

Other malware based on BlackPOS has also beenanalyzed. As time goes by, new versions of the malware are discovered - not wholly unexpected as the original's source code was leaked online in 2012.

Trend Micro researchers have news about the latest version, which they dubbed Memlog. Unlike previous versions, which registered themselves as a system service used by the target company, Memlog disguises itself as an installed service of known AV vendor software in order to avoid detection.

Memlog has some additional changes:
  • A different routine for listing and iterating running processes (CreateToolhelp32Snapshot API call instead of EnumProcesses API call),
  • A new custom search routine to check the RAM for card track data, which is instructed to ignore certain processes where track data usually can't be found.
The grabbed credit card track data from memory is saved into a .dll file and sent to a shared location within the same network.

Attackers can deliver PoS malware on target networks by infecting machines before they are deployed, by hacking network communication, or by targeting specific servers by point of entry and lateral movement, Trend Micro researchers shared.

They advise enterprises and large organizations to implement a multi-layered security solution, as well as to occasionally check if and when a system component has been modified or changed, as this could point to a potential compromise.
 
  • Like
Reactions: GabiCRX
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top