LinkBack URL
About LinkBacksA newly discovered malware sample for point of sale (PoS) systems has been encountered by security researchers, who say that it integrates code from two other threats of the same kind, Dexter and Chewbacca.
The fresh sample has been discovered on VirusTotal, and Nick Hoffman, reverse engineer at CBTS, says that it is a fairly new strain.
Named LusyPoS, the malware was flagged on Google’s scanning service on November 30 by only seven out of 54 antivirus engines, some of the products actually identifying the built-in Tor component and not the threat itself.
Threat is larger in size than similar threats
According to the engineer, LusyPoS is quite heavy at 4MB in size, compared to birds of the same feather, which can be as small as 17KB (Getmypass PoS, also discovered by Hoffman).
For comparison, BlackPoS, responsible for last year’s breach at Target, is a little over 250KB in size. Framework PoS, which was used to steal financial info from Home Depot, is about 130KB large; and the infamous Backoff, which affected more than 1,000 businesses in the US, is about 75KB in size.
Referring to the similarities with other malware families, in a blog post on Monday, Hoffman says that LusyPoS is “a strange mix of Dexter-like behavior mixed with Chewbacca-like techniques.”
Code and techniques are not original
The strings found during the reverse engineering process are similar to those available in Dexter, while the connection through Tor anonymity network is specific to Chewbacca.
The code in LusyPoS contains information about the command and control servers as well as a list of processes that should be checked in the memory for financial information.
It also relies on registry keys in order to achieve persistence on the affected system. According to the researcher, the code is very similar to what is available in Dexter PoS malware.
As far as the RAM scraping is concerned, the malware does not employ an original technique, but one used by other RAM scrapers. The operation is carried out through a common sequence involving CreateToolhelp32Snapshot, then using Process32First and Process32Next to iterate, the researcher says.
Another similarity with other pieces of PoS malware is the use of Luhn algorithm to verify the information. Hoffman says that “Luhn’s algorithm is the defacto algorithm for validating credit card numbers” and it is also used in FrameworkPOS, Dexter, and Getmypass.
It is not unusual for cybercriminals to take strings from samples whose code has been leaked online and integrate them in their malicious software.
Crooks do not care whether it’s an entire component or just the best part of a malware piece, as long as they can quickly create a tool to make some money at this time of the year.
Torrent Invites! Buy, Trade, Sell Or Find Free Invites, For EVERY Private Tracker! HDBits.org, BTN, PTP, MTV, Empornium, Orpheus, Bibliotik, RED, IPT, TL, PHD etc!
Results 1 to 1 of 1
-
12-03-2014 #1Extreme User
- Reputation Points
- 42493
- Reputation Power
- 100
- Join Date
- May 2014
- Posts
- 7,971
- Time Online
- 87 d 5 h 16 m
- Avg. Time Online
- 34 m
- Mentioned
- 576 Post(s)
- Quoted
- 180 Post(s)
- Liked
- 4129 times
- Feedbacks
- 173 (100%)
New PoS Malware Mixes Code from Dexter and Chewbacca
Reply With Quote
