FastPOS malware becomes stealthier ahead of festive credit card spree

FastPOS malware, known for the speed with which it exfiltrated data often at the expense of stealth, has been upgraded to make it more covert - just in time for Christmas.

FastPOS putting a damper on the pre-Christmas buying festivities for retailers
FastPOS putting a damper on the pre-Christmas buying festivities for retailers

The FastPOS malware that infects point of sale terminals has been updated in time for the Christmas shopping season, becoming harder to detect.

That's according to a blog posts from Trend Micro which discovered a new variant of the malware that has undergone some significant upgrades.

FastPOS malware is known for its speed, and as the Trend Micro blog explained, up until now the malware stole data as fast as possible, taking as much as it could even at the expense of stealth.

However, from samples of the point-of-sale malware collected by the company last month, it found “an unusual network connection in one of the endpoints of a company based in North America”. The implication is that the malware has become modular and aware of the system it is infecting.

“FastPOS's first incarnation was multithreaded, having one process for each functionality – keylogging, RAM scraping, and self-updating. In its latest iteration, the malware makes use of different components hidden in its resource instead of writing everything in one file,” said the researchers. It also has separate components for 32-bit and 64-bit systems.

The modular components comprise a keylogger and a RAM scraper to monitor processes and scan for credit card track data, which are then sent to the main service. Stolen information is now stowed in mailslots, a mechanism for applications to store and retrieve messages. 

“The use of mailslots to evade AV detection isn't new,” said the researchers. “Since mailslots are memory-residing temporary files, it enables attackers to save information about the infected system without leaving traces of a physical file.”

The firm said the developer's approach to updating their malware is significant. 

“Modular malware such as FastPOS can be harder to detect as some of the components can be programmed not to work without another. Others such as FastPOS's do not depend on other components and can be self-executed, but only if the arguments for them are known,” said Trend Micro.

It added that uncovering  a component doesn't guarantee others can be found either. “For instance, FastPOS's main service and RAM scraper can be seen running as a service, making them easier to remove. However, the keylogger component can be harder to notice as its code is injected into explorer.exe's process memory,” the researchers said.

It added that the update shows that its developer is active and isn't shying away from trying new tactics – from switching memory to mailslots for data storage to using different versions of the same platform to create the malware. 

“The deployment is also quite suspect, as the malware's development cycle seems to keep pace with the retail sale season.”

Fortunato Guarino, cybercrime and data protection advisor at Guidance Software, told SCMagazineUK.com that this reinforces the importance of strong endpoint detection and response (EDR) tools that can alert an organisation to a POS attack and prevent hackers from actually extracting any data.

“To do this they need to work 'under the assumption of compromise', that is, take a proactive approach to tracking down any warning signs of unauthorised or unusual behaviour. POS terminals are endpoints like any other; security teams need to have 360-degree visibility into these systems in order to identify indicators of compromise quickly, so the appropriate response and remediation can happen to prevent or minimise the impact,” he said.

Smrithi Konanur, payments, web and mobile global product manager at HPE Security-Data Security, told SC that retail malware is typically designed to steal clear data in memory from Point of Sale (POS) applications, resulting in the loss of magstripe data, EMV card data or other sensitive data exposed at the point of sale.

“And unfortunately, POS systems are often the weak link in the chain – they should be considered insecure even after implementing EMV. A POS terminal in constant use is usually less frequently patched and updated, and is thus vulnerable to all manner of malware compromising the system to gain access to cardholder data,” he said.

“Any businesses using POS systems can avoid the impact of these types of advanced attacks. Payment strategies like Point-to-Point Encryption are the best data-centric solutions to prevent such security breaches that target data in transit. Point-to-Point Encryption solutions that are implemented using proven methods, such as Format-Preserving Encryption are available to neutralise data from breaches either at the card reader, at the point of sale, in person or online.” 

Sign up to our newsletters