New POS malware from Russia targets retailers

News by Tim Ring

Retailers are being attacked by new POS malware, sent from Russia, that uses phishing emails based on fake job enquiries.

Retailers are being attacked by new point-of-sale malware, sent from Russia, that uses phishing emails based on fake job enquiries to infiltrate companies.

The wide-scale campaign began last week, according to a 23 May blog by security firm FireEye.


FireEye has dubbed the new malware ‘NitlovePOS' and says it can steal full payment card details. It sends the exfiltrated data back to a single IP address in St Petersburg, Russia.

The attack is based on indiscriminate spam messages sent from hijacked Yahoo! Mail accounts that pretend to be enquiries about jobs and internships.

The emails attach a fake CV, which claims to be a ‘protected document' to look more authentic. But when the victim opens it, they get the NitlovePOS malware instead,

FireEye believes the attackers then cherry-pick any retailers or similar victims they find among those downloading the initial malware.

They send their selected targets a “wide variety” of malware, including the ‘pos.exe' file which FireEye believes targets point-of-sale machines.

The company says it has so far seen only three downloads of pos.exe, suggesting this is the number of retailers targeted to date.

And while the crime-ware communicates with domains in Russia, FireEye cannot confirm the attackers themselves are Russian.

Jason Steer, FireEye EMEA's chief security strategist, told via email: “The fact that the IP is in Russia isn't conclusive that that is where the perpetrators are from. It's easy to use and move IP addresses and many attackers use proxies to move the information on.”

In the blog, FireEye's Daniel Regalado and senior threat intelligence researcher Nart Villeneuve explain: “The NitlovePOS malware can capture and exfiltrate track one and track two payment card data by scanning the running processes of a compromised machine.”

The malware also uses a series of methods to avoid detection, they say, including “using a well-known hiding technique via NTFS alternate data streams”, and creating a VBS script.

FireEye adds: “NitlovePOS also expects to be run with the ‘-‘ sign as argument; otherwise it won't perform any malicious actions. This technique can help bypass some methods of detection, particularly those that leverage automation.

“If the right argument is provided, NitlovePOS will decode itself in memory and start searching for payment card data.”

The ‘pos.exe' binary file is named ‘TAPIBrowser' and was created on 20 May. The malware stores all hacked data in a ‘mailslot' shared range of memory.

Commenting on the attack, security expert David Sandin, technical manager for Clavister, told via email:: “It's interesting that the attackers are taking a scattergun approach with this campaign, rather than specifically targeting retailers, and basing their next steps on the communication from the malware following a successful infection.

“It highlights just how important it is for retail organisations to segment their networks effectively, so infections cannot jump across from one network to their POS networks, and to supplement conventional anti-virus with extra layers of security.”

Jason Steer advised potential targets of the campaign: “There are many things organisations can do to slow down these attacks - such as segregation of networks, host-based forensics and intelligence feeds that can be used to identify an incident sooner, slow down an attacker, and minimise the impact of it.”

But Steer added: “Many POS systems today run embedded versions of Windows which face most of the same risks and issues that Windows runs into. Protecting these devices is hard because anti-virus scanning can slow down performance for users, so protecting those devices becomes harder to address.”

In the blog, FireEye points out that several new POS malware variants have been seen this year, including a new version of Alina, LogPOS, FighterPOS and Punkey.

Once each is discovered, detection rates increase and new variants – like NitlovePOS - are created whose detection levels are initially low.

“This gives the cyber-criminals a window of opportunity to exploit the use of a new variant,” FireEye warns. “We expect that new versions of functionally similar POS malware will continue to emerge to meet the demand of the cyber-crime marketplace.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews