In the UK we don’t often come across brand new POS malware, presumably as we are in a Chip & PIN market, so the “return” for attackers on deploying such technology is limited. Last week though, we did come across what appears to be a new sample that we’re calling TinyPOS.
While the sample is a typical memory scraper, it appears to be “hand rolled” assembly language and comes in at only 5120 bytes. The malware contains an old school exclusion list that performs extremely rapid double word comparisons rather than the slower but far more common string comparisons to identify which process to ignore, and internally validates the identified account data through an implementation of the Luhn algorithm.
The malware exfiltrates the collected account data directly to an external Command and Control (C2) Server in Eastern Europe, but unusually the communications utilise “raw” TCP sockets rather than the HTTP protocol that has become the norm in POS malware. The data is encoded prior to transmission using a dword XOR routine, so IDS technology is unlikely to see raw Track data flying around a compromised network.
We’ve seen two variants at this point in time, although they're almost identical, and we will provide additional information over the next few days. Hash values for the samples seen are below.
md5 deb132c28f43fd86508f5ef363a28a73
sha1 a0bb561c1c76e23be99db00089c1350d230238ac
md5 039bd8cc80126ad2b21b45364d47220e
sha1 4920fe1afe5f1fa5ec39499aff807d8c2ca657a7
Is your business under attack?
If you suspect your business may be under attack, we may be able to help. Click on the link below to find out about our Digital Forensics & Incident Response Team - we support clients locally and globally.