Tuesday, 17 November 2015

POS Malware Alert - AbaddonPOS and Cherry Picker

Two new malware files have been identified targeting point-of-sale (POS) terminals called AbaddonPOS and Cherry Picker

The AbaddoPOS malware is delivered by the Angler Exploit Kit or through an infected Microsoft Office document. The malware targets the memory of all processes running on the infected system (excluding its own memory space) looking for card data. Once the card data has been found, it is sent back to a Command and Control (C&C) server. 

The Cherry Picker also targets card data but there is some further functionality built-in to it. It tries to clean up after itself and this is the main reason why it went undetected for such a long time. Another characteristic of the Cherry Picker is that it focuses on just one process that is known to contain card data. That way it attracts as little attention as possible, compared to trying to target all running processes on the infected system.

More sophisticated
Malware has become more sophisticated in a sense and has evolved into using evasive techniques as well. As a result, it has become a lot harder to detect and defend against. It is estimated that the Cherry Picker has managed to remain hidden for nearly four years. More specifically, it was possible for this malware to adapt to its environment in order to start scraping cardholder data from the memory of the infected POS terminals. Cherry Picker made use of encryption, configuration files, it supported command line arguments, and even used obfuscation (a technique that scrambles binary and textual data in such a way that makes it almost unreadable or really hard to understand). POS malware is one of the most commonly used methods cybercriminals use to steal payment card information.

Angler Exploit Kit
The Angler Exploit Kit has been used by organised cybercriminals to spread malware that managed to steal approximately $3 million each month through ransomware attacks. CryptoWall and TeslaCrypt were the two ransomware found in over 60% of cases of systems infected by the Angler Exploit Kit. Ransomware is specifically designed to take the user’s data as hostage by encrypting all the files, while demanding a ransom to be paid in order to allow access back to the files. The statistics showed that 90,000 systems were being infected daily by this ransomware campaign which is estimated to have generated an annual revenue of more than $34 million.

Sysnet has extensive experience in compliance and security. Our passion for pragmatic and innovative solutions when it comes to addressing Cybersecurity problems allows us to be the thought leaders in the market when it comes to addressing such multi-layered and complicated challenges related to security.

-- This is a blog post I created for Sysnet and I am reposting it here for historical purposes. This was originally posted here.

No comments:

Post a Comment