'NewPosThings' malware evolves, malicious traffic traced to airports

Trend Micro believes that point-of-sale malware attackers will increasingly target travellers.
Trend Micro believes that point-of-sale malware attackers will increasingly target travellers.

While observing the evolution of point-of-sale malware, called NewPosThings, Trend Micro traced suspicious traffic back to two US airports.

The NewPosThings malware family was uncovered last September by Arbor Networks, and in a blog post last week, Trend Micro threat analyst Jay Yaneza revealed that recent malware attempts to connect to NewPosThings' control hub were seen. The traffic resolved to IP addresses associated with the unnamed airports, he explained.

Of note, Trend Micro found variants of the malware that targeted 64-bit Windows systems and higher, as opposed to earlier iterations of NewPosThings that were compatible with 32-bit versions.

“Similar to the previous 32-bit version reported last year, the 64-bit sample is a multifunction Trojan that includes added functionalities and routines,” Yaneza wrote. “These include RAM scraper capabilities, keylogging routines, dumping virtual network computing (VNC) passwords, and information gathering.”

In recent months, researchers have detected noticeable changes in the malware, including the fact that the latest variant of NewPosThings, version 3.0, disables security warnings on systems and uses custom packers with added anti-debugging methods.

In regards to the suspicious traffic coming from two airports, Yaneza said that – combined with reports last month of a credit card breach at Los Angeles International Airport (LAX) – there appears to be trend of POS attackers targeting travellers.

“No matter which country, airports represent one of the busiest establishments where there are transactions being made all year round,” he wrote. “This further reinforces the fact that POS malware, and the threat actors behind it, may have definitely matured to branch out to targets other than large retailers or small merchants.”

In a Friday interview with SCMagazine.com, Christopher Budd, global threat communications manager at Trend Micro, said that, “In a post-Target world, anything that takes a credit card is going to be something that attackers are going to look at” as a possible attack vector. Cybercriminals also take advantage of the fact that many consumers “suffer from idea compartmentalisation,” not considering that card terminals at the last airport they travelled through, may be just as appealing, if not more, to credit card data thieves as those belonging to big box retailers, he explained.

“That's why POS attacks are so viable right now, because from an attacker's point of view, [these avenues] are nearly as attractive as PCs,” Budd said.