LockPoS malware adopts injection technique to evade detection

News by Bradley Barth

LockPoS, a point-of-sale malware program discovered in 2017 stealing payment card data from computers' memory, is now using a new malware injection technique designed to bypass antivirus hooks and evade detection.

LockPoS, a point-of-sale malware program discovered in 2017 stealing payment card data from computers' memory, is now using a new malware injection technique designed to bypass antivirus hooks and evade detection.

Hod Gabriel, malware analyst at Cyberbit, reported in a company blog post last week that LockPoS uses three main routines – all of which are exported from ntdll.dll, a core Windows dynamic link library file –  to inject malicious code into a remote process. The three routines used are: NtCreateSection, NtMapViewOfSection, and NtCreateThreadEx.

The technique is reportedly similar to that used by Flokibot POS malware, which shares the same botnet used for distribution – except LockPoS uses different API calls for the injection.

Gabriel said that one technique "involves creating a section object in the kernel using NtCreateSection, calling NtMapViewOfSection to map a view of that section into another process, copying code into that section and creating a remote thread using NtCreateThreadEx or CreateRemoteThread to execute the mapped code."

“This new malware injection technique suggests a new trend could be developing of using old sequences in a new way that makes detection difficult,” Gabriel continued. “Most EDR [Endpoint Detection and Response] and next-gen antivirus products already monitor the Windows functions in user mode. But in Windows 10, the kernel space is still guarded, so kernel functions can't be monitored.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events