NitlovePoS, The New PoS Malware is being spread by Spam
Researchers at FireEye have detected a new strain of point-of-sale (POS) malware being used in the wild and served through a spam campaign.
A new malware called NitlovePoS has the capability of capture and exfiltrate track one and two from payment cards, and to accomplish that it scans the running processes of the infected machine.
FireEye announced that crooks created a new campaign, using emails with subjects as âAny Jobs?â, âAny openings?â, âInternshipâ, âInternship questionsâ, âInternships?â, âJob Postingâ ,âJob questionsâ ,âMy Resumeâ ,âOpenings?â, and they believe that all started on May 20. Inside the email it exists an attachment named âCV_[4 numbers].docâ or âMy_Resume_[4 numbers].docâ, Â that looks like a resume but in fact in a malicious macro disguised as a resume.
If the document is opened and the and macro is enabled, the âmalicious macro will download and execute a malicious executable from 80.242.123.155/exe/dro.exe.â
âTo trick the recipient into enabling the malicious macro, the document claims to be a âprotected documentâ,â said FireEye researchers.
[adsense size='1']
This campaign is on-going yet and the crooks have been updating the payload so keep pay attention to any suspect e-mails.
âWe focused on the âpos.exeâ malware and suspected that it maybe targeted Point of Sale machines,âWe speculate that once the attackers have identified a potentially interesting host form among their victims, they can then instruct the victim to download the POS malware. While we have observed many downloads of the various EXEâs [hosted] on that server, we have only observed three downloads of âpos.exeâ.â added FireEye researchers.Â
When infect the machine, the malware will add itself into the registry key to ensure that it will be able to run again after a reboot.
âNitlovePOS expects to be run with the â-â sign as argument; otherwise it wonât perform any malicious actions,ââThis technique can help bypass some methods of detection, particularly those that leverage automation.â
âIf the right argument is provided, NitlovePOS will decode itself in memory and start searching for payment card data,â âIf it is not successful, NitlovePOS will sleep for five minutes and restart the searching effort.â
NitlovePoS is not the only a POS malware âout thereâ, and since the beginning of 2015 many others PoS malware have benn seen, malware such Punkey and FighterPOS.
Itâs important to say to the reader that there are some solutions that have been doing very good in protecting point-of-sale environments, and I am talking about the next-generation firewalls, since its enforces the network segmentation,
âThe key advantage that NGFW (next-generation firewalls) provides for network segmentation is application servers and data can be designated in different segments based on their risk factors and security classifications, with access to them tightly controlled,â.
[adsense size='1']
As a conclusion, please keep in mind that most probably until the end of 2015 we will see an increased in incidents related with POS malware incidents where data exposure was successful and
âDue to the widespread use of POS malware, they are eventually discovered and detection increases. However, this is followed by the development of new POS with very similar functionality. Despite the similarity, the detection levels for new variants are initially quite low. This gives the cybercriminal s a window of opportunity to exploit the use of a new variant. We expect that new versions of functionally similar POS malware will continue to emerge to meet the demand of the cybercrime marketplace.â
Gloss