FireEye detects financially-motivated criminal group targeting PoS systems with new, never seen before malware

May 11, 2016 18:10 GMT  ·  By

Microsoft patched a zero-day vulnerability in the Windows operating system that was used in real-world attacks to escalate user privileges and help crooks deliver malware to PoS (Point of Sale) systems.

Security firm FireEye says the criminal group behind this campaign targeted more than 100 North American businesses, mainly in the retail, hospitality and restaurant industries.

The group created its own brand of malware

The company also reveals the presence of two never-seen-before malware families, PUNCHBUGGY and PUNCHTRACK, used only by this threat group.

PUNCHBUGGY is a simple DLL file, but modified to allow crooks to request and download files from a remote server via HTTPS. PUNCTRACK is a classic PoS malware that can scrape the memory of PoS systems for Track 1 or Track 2 card data.

FireEye says that on March 8, they saw a new exploit against the Windows platform employed in this group's campaign.

The security firm says the group was distributing Word files via spam campaigns. The Word files would trick users into enabling Macro support, and then they would run an exploit to achieve remote code execution rights in the name of the current user.

Crooks used an unpatched Windows bug to install their malware

Using this, they would then download the zero-day package, which would allow the attacker to escalate his privilege to system administrator. With admin rights in hand, the attacker would now be able to install and run any malware he wanted on the compromised system.

The zero-day (CVE-2016-0167) would take advantage of a bug in the win32k Windows Graphics subsystem. FireEye reported the issue to Microsoft, who released a temporary fix (MS16-039) in April's Patch Tuesday, and then a complete fix (MS16-062) in this month's security update.

"This actor has conducted operations on a large scale and at a rapid pace, displaying a level of operational awareness and ability to adapt their operations on the fly. These abilities, combined with targeted usage of an EoP exploit and the reconnaissance required to individually tailor phishing emails to victims, potentially speaks to the threat actors’ operational maturity and sophistication," FireEye noted about the criminal group behind these attacks.