Researchers with Cisco's Talos Security Intelligence and Research Group have identified a new point-of-sale (POS) malware family – referred to as 'PoSeidon' – that takes steps to maintain persistence and also has mechanisms for updating.
Ultimately, the malware targets POS systems, scrapes the memory of infected machines for payment card information, and exfiltrates the data to servers – many of which are hosted on Russian domains, according to a Friday post.
Upon infection, PoSeidon takes steps to achieve persistence so that the malware will survive should there be a system reboot, according to the post. The C&C is then contacted, which leads to a minimal keylogger being installed.
“The keylogger is installed to pull credit card data,” Craig Williams, senior technical leader for Cisco's Talos Security Intelligence and Research Group, told SCMagazine.com in email correspondence. “It is not uncommon for more sophisticated and current POS malware samples.”
Next, the malware begins scanning the memory of the infected POS device for sequences of digits that could be payment card numbers, the post indicates.
PoSeidon only looks for 16-digit sequences beginning with four, five, and six – for Mastercard, Visa, and Discover cards – and 15-digit sequences beginning with three for American Express cards, the post notes. The Luhn algorithm is used to verify that the numbers are actual payment card numbers.
Payment card information and keylogger data is then sent to the exfiltration server “after being XORed and Base64 encoded,” the post states.
“PoSeidon is interesting because it is self-updateable,” Williams said. “It has interesting evasions by using the combination of XOR, Base64, etc, and it has direct communication with the exfiltration servers, as opposed to common POS malware, which logs and stores for future exfiltration from another system.”
Securing against these types of threats should involve a threat-centric approach built on superior visibility, continuous control, and advanced threat protection across the extended network and the entire attack continuum, Williams said.
Williams could not provide additional information or statistics on who specifically is being targeted and impacted by PoSeidon.