Three Malware Campaigns Come Alive for the Holiday Shopping Season[source: bleepingcomputer]
by CIRT Team
Three malware strains —GratefulPOS, Emotet, and Zeus Panda— have sprung to life with new active campaigns just in time for the holiday shopping season.
While GratefulPOS appears to be a new malware strain, the other two, Emotet and Zeus Panda, have just suffered minor updates to allow them to go after online shops more active this time of year.
Of the three, the most intriguing one is GratefulPOS, a malware strain that targets Point of Sale (POS) systems. Discovered by the Target Cyber Threat Intelligence & Detection Team and analyzed by security researchers from RSA’s FirstWatch division, GratefulPOS appears to a code mashup between multiple malware families such as FrameworkPOS, TRINITY, BlackPOS, and BrickPOS.
First spotted in mid-November, GratefulPOS was designed to execute on POS systems running x64 versions of Windows 7 or later.
According to RSA researchers, the malware appears to be installed manually, meaning attackers must compromise POS networks beforehand.
Under the hood, GratefulPOS is largely based on FrameworkPOS, meaning it shares most of its features [1, 2, 3, 4], such as the ability to scrape the RAM for payment card data and its ability to send collected data to its C&C server as encoded and highly obfuscated DNS queries.
“This DNS exfiltration method employed by the POS malware is clever,” says RSA researcher Kent Backman. “It effectively negates a common POS system control employed by payment card merchants, which is blocking direct access to the Internet from the POS systems. If the POS systems point to internal DNS servers, this malware should have no problem exfiltrating credit card data en masse without direct connect to the Internet.”
For more, click here.