14 DAY TRIAL // A criminal group is using compromised LogMeIn accounts belonging to systems running PoS software to access those computers and infect them with the new PosCardStealer malware.
At the end of June, PandaLabs was reporting on a wave of PoS infections that had hit over 200 systems, mainly in the US. All systems were infected with a relatively new PoS malware strain named PunkeyPOS.
After publicly disclosing the attacks, PandaLabs continued to investigate the infected systems, and their efforts paid off because they discovered more details about the criminal group's mode of operation.
Group used LogMeIn to access computers running PoS software
PandaLabs researchers say the group managed to obtain the LogMeIn user credentials for accounts used on computers running PoS software and connected to PoS terminals. LogMeIn is a tool similar to TeamViewer that allows users to log in and manage remote devices.
Researchers explain that the crooks did not use a zero-day vulnerability in LogMeIn, but took advantage of weak login credentials or discovered the login credentials through other sources.
The crooks were logging into these computers and compromising the PoS software running on the workstation, software utilized to process financial transactions via the attached PoS devices.
Crooks deployed PunkeyPOS, Multigrain, and PosCardStealer
In most cases, attackers employed the PunkeyPOS malware, which PandaLabs discovered in earlier attacks, but also the Multigrain (also called NewPoSThings) malware, and in a few attacks, a new threat, which they named PosCardStealer.
To deploy these three threats, the group was accessing the compromised systems via LogMeIn, downloading and then launching a binary file into execution.
After 14 hours, the crooks would order one of the infected systems to download and install the PoS malware. This was only a test, and if after ten minutes everything worked out, the crooks would tell all compromised systems to do the same.
As for the new PosCardStealer PoS malware variant PandaLabs discovered, researchers say they identified the first attack on September 30, 2015, with the malware's compilation date being September 28, 2015, two days before its deployment.
Crooks used PosCardStealer on at least 30 PoS systems. The malware's infection routine included support for Dinerware (brain.exe), a PoS system generally deployed at bars and restaurants, and POSitouch (spcwin.exe).