Public transport ticket solutions in public areas targeted

Nov 27, 2014 07:23 GMT  ·  By

A new strain of malware designed for point of sale systems has been discovered by security experts to also infect ticket vending machines and electronic kiosks.

Called “d4re|dev1|” (DareDevil) by the researchers at IntelCrawler, the malware has been found on various PoS solutions, such as QuickBooks Point of Sale Multi-Store, Figure Gemini PoS, Harmony WinPOS, and OSIPOS Retail Management System.

Threat is disguised as legitimate process

“This new strain of malware, which is hitting Mass Transit Systems, acts as an advanced backdoor with remote administration, having RAM scrapping and keylogging features,” researchers say in a blog post.

The threat is disguised as a legitimate process on the compromised machine, posing as Google Chrome or as PGTerm.exe, which appears to belong to Pay&Go client product, a payment software solution.

It can also be disguised as “hkcmd.exe,” a process that regularly facilitates hot key interception on systems equipped with Intel graphics.

As a result of the IntelCrawler analysis, it has been found that the author of DareDevil included the possibility to upload files, a feature that can be used for updating the threat.

Alternatively, the option can be used to add new backdoors and tools on the compromised machine, in order to move laterally across the network. This could suggest that the cybercriminals are interested in stealing information from as many machines as possible, focusing on large networks connecting a high number of payment terminals for increased profit.

ATM machines used for social online activity and browsing

PoS malware is specifically designed to look for card data directly in the memory of the compromised system, where it is found in an unencrypted state for a short period of time, as long as the payment information verification takes.

During the investigation of DareDevil, security researchers found that internal security policies had not been respected by PoS operators, and they used the machines for activities they were not suited for.

IntelCrawler discovered that employees would check their emails on the terminals, play games, browse the Internet, send messages, and even view social network activity. It may be that this is how the machines became infected because “these cases have a common denominator of weak passwords and logins, many of which were found in large 3rd party credential exposures,” the security company says.

Apart from PoS systems, the malware also targeted kiosks and ticket machines in public areas, even if they have significantly less money than ATMs. However, they are easy to compromise because of their insecure remote administration sessions.

Such a device was discovered back in August, in Sardinia, Italy, and was accessed by the cybercriminals through the VNC remote administration software.

DareDevil affects multiple PoS systems (7 Images)

Web interface of the DareDevil command and control server
Dumps from machines infected with DareDevilInformation intercepted from Harmony PoS system
+4more