New BlackPOS variant masquerades as AV service
Posted on 02.09.2014
Before the Backoff point-of-sale malware received deserved attention, the main player in the PoS malware field was BlackPOS (or Kaptoxa), the memory-scraping malware that was used in the Target breach.

Other malware based on BlackPOS has also been analyzed. As time goes by, new versions of the malware are discovered - not wholly unexpected as the original's source code was leaked online in 2012.

Trend Micro researchers have news about the latest version, which they dubbed Memlog. Unlike previous versions, which registered themselves as a system service used by the target company, Memlog disguises itself as an installed service of known AV vendor software in order to avoid detection.

Memlog has some additional changes:
  • A different routine for listing and iterating running processes (CreateToolhelp32Snapshot API call instead of EnumProcesses API call),
  • A new custom search routine to check the RAM for card track data, which is instructed to ignore certain processes where track data usually can't be found.
The grabbed credit card track data from memory is saved into a .dll file and sent to a shared location within the same network.

Attackers can deliver PoS malware on target networks by infecting machines before they are deployed, by hacking network communication, or by targeting specific servers by point of entry and lateral movement, Trend Micro researchers shared.

They advise enterprises and large organizations to implement a multi-layered security solution, as well as to occasionally check if and when a system component has been modified or changed, as this could point to a potential compromise.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Feb 9th