Includes modified function for iterating running processes

Aug 29, 2014 14:59 GMT  ·  By

A newly discovered version of the BlackPoS malware affecting point-of-sale (PoS) systems masquerades as a service of an antivirus product to avoid detection.

Further modifications have been added to the threat, which now integrates a different method for listing all processes running on the affected machine. It now relies on CreateToolhelp32Snapshot API call for the job that was previously carried out through the EnumProcesses API call.

Security researchers at Trend Micro say that the new BlackPoS also uses a different routine for searching the memory for track data, the information used for completing card transactions.

“Based on our analysis, this PoS malware uses a new custom search routine to check the RAM for Track data. These custom search routines have replaced the regex search in newer PoS malware. It samples 0x20000h bytes [the 0x and h implies hex bytes] in each pass, and continues scanning till it has scanned the entire memory region of the process being inspected,” threat response engineer Rhena Inocencio writes in a blog post.

All the information retrieved from the memory of a process is dumped into a DLL file named McTrayErrorLogging, and then sent to a shared location on the network using a batch file (t.bat) that is deleted after the job is done.

To speed up the data collection process, BlackPoS features an exclusion function that prevents it from searching for RAM information belonging to system processes, which cannot hold the coveted assets.

Inocencio says that PoS malware can reach the payment systems of a company by targeting certain servers by point of entry and lateral movement.

Breaching network communication is another method seen to infect the computers, as well as infecting the machine before deployment.

The recommendation is to integrate multi-layered security solutions capable of protecting against vulnerabilities in systems and applications that could be leveraged to gain access to the network.

“In addition, check also when a system component has been modified or changed as criminals are using known in-house software applications to hide their tracks,” Inocencio says.

BlackPoS was first detected back in early March 2013 and it is believed to have been used in the Target attack that took place towards the end of last year; targets reported that card data information of about 40 million customers was lost during the incident.

A more recent malware family called Backoff has compromised the PoS systems of at least 1,000 businesses in the US; details about it have been published on July 31, in an advisory from US CERT (Computer Emergency Response Team).

[UPDATE]: Analysis of the malware sample found in the Home Depot attack shows that a different piece than BlackPOS was used, known by the name of FrameworkPOS.