Discover, MasterCard, Visa and Amex cards are targeted

Mar 23, 2015 12:49 GMT  ·  By

A new point-of-sale (PoS) malware family, dubbed PoSeidon, has been discovered in the wild, contacting data exfiltration servers running websites with a Russian top-level domain.

PoS malware is designed to infect payment processing systems and extract from processes in the memory card data that can be used to clone the cards; this type of data retrieving technique is known as “memory scraping.”

Keylogging and card data wrapped and delivered to Russian websites

The fresh piece found by Cisco’s threat researchers from the Talos Security Intelligence and Research Group say that PoSeidon infection starts with a binary file called Loader, which communicates with a hard-coded command and control (C&C) server (mostly from the Russian TLD space) to download another executable named FindStr.

In its turn, FindStr runs keylogging routines and looks in the memory for credit card numbers, which are then encoded (XOR and Base64) and delivered to a Russian C&C. Identifying the card number only is done using the Luhn algorithm, which is in the public domain.

According to the Talos analysis, the cybercriminals look only for sequences starting with 4, 5 and 6 and have 16 digits, which are specific to Discover, Visa and Mastercard; sequences of 15 digits that start with 3 are also targeted, and they are associated to Amex credit or debit cards.

Persistence routine comes with a backup plan

Talos says that PoSeidon demonstrates the sophistication of cybercriminals as it executes a set of routines that allow its persistence on the system in the event of a restart.

Moreover, it takes action to make sure that current user log-off does not hinder its activity in any way. This is achieved by Loader installing itself as a service named WinHost, whose executable is saved as WinHost.exe in System32 folder; any other file with this name is overwritten automatically.

It appears that cybercriminals have prepared a fallback plan in case installation as a service fails:

“If Loader is not able to install itself as a service, it will try to find other instances of itself running in memory and terminate them. Subsequently, it will copy itself to %UserProfile%\WinHost32.exe and install the registry key HKCU\Microsoft\Windows\CurrentVersion\Run\\WinHost32. Finally, it will create a new process to execute %UserProfile%\WinHost32.exe,” Talos researchers explain in a blog post.

At the moment, there seems to be an ongoing investigation of the infrastructure used by PoSeidon as the researchers withheld some of the IP addresses associated with the malware, at the request of Federal Law Enforcement.

PoS malware PoSeidon (3 Images)

PoSeidon infection flow
Loader and FindStr share a large part of the codeLuhn algorithm used to determine that number sequences are for cards
Open gallery