New BlackPOS variant masquerades as AV service

Before the Backoff point-of-sale malware received deserved attention, the main player in the PoS malware field was BlackPOS (or Kaptoxa), the memory-scraping malware that was used in the Target breach.

Other malware based on BlackPOS has also been analyzed. As time goes by, new versions of the malware are discovered – not wholly unexpected as the original’s source code was leaked online in 2012.

Trend Micro researchers have news about the latest version, which they dubbed Memlog. Unlike previous versions, which registered themselves as a system service used by the target company, Memlog disguises itself as an installed service of known AV vendor software in order to avoid detection.

Memlog has some additional changes:

  • A different routine for listing and iterating running processes (CreateToolhelp32Snapshot API call instead of EnumProcesses API call),
  • A new custom search routine to check the RAM for card track data, which is instructed to ignore certain processes where track data usually can’t be found.

The grabbed credit card track data from memory is saved into a .dll file and sent to a shared location within the same network.

Attackers can deliver PoS malware on target networks by infecting machines before they are deployed, by hacking network communication, or by targeting specific servers by point of entry and lateral movement, Trend Micro researchers shared.

They advise enterprises and large organizations to implement a multi-layered security solution, as well as to occasionally check if and when a system component has been modified or changed, as this could point to a potential compromise.

Don't miss