Security researchers are warning of a new POS malware strain which has the potential to cause yet more pain for retailers and their customers in the run up to the busy festive season.
AbaddonPOS was initially discovered by Proofpoint analysts as it was being downloaded as part of a Vawtrak infection, they wrote in a blog post.
Specifically it was delivered via either weaponized Office documents downloading Pony malware or an Angler EK Bedep infection. Downloader TinyLoader was then loaded by Vawtrack to download more shell code—finally triggering AbaddonPOS.
AbaddonPOS is only around 5KB in size but has been fitted with anti-analysis and obfuscation techniques to prevent manual and automatic analysis.
For example, it uses a CALL instruction to hinder static analysis.
Most of the malware’s code is not obfuscated, however, except for the code used to encode and transmit stolen credit card data.
It then relies on a custom binary protocol to exfiltrate the stolen data, rather than HTTP.
The firm concluded:
The practice of threat actors to increase their target surfaces by leveraging a single campaign to deliver multiple payloads is by now a well-established practice. While using this technique to deliver point of sale malware is less common, the approach of the US holiday shopping season gives cyber-criminals ample reason to maximize the return on their campaigns by distributing a new, powerful PoS malware that can capture the credit and debit card transactions of holiday shoppers.
AbaddonPOS isn’t the only piece of malware set to cause problems for retailers as they prepare for the busy Christmas shopping period.
Cherry Picker has been active since 2011 but remained under the radar thanks to its highly covert nature, according to Trustwave.
The POS malware apparently cleans itself from an infected system once it has found what it was looking for, using remote software TeamViewer to remove and overwrite files and logs.