Trend Micro has identified a new point-of-sale (POS) threat detected as TSPY_POSLOGR.K.
The presence of debug information in the malware, as well as the lack of any identifiable command-and-control capabilities, has led researchers to believe that TSPY_POSLOGR.K is in a beta testing phase, Christopher Budd, global threat communications manager with Trend Micro, told SCMagazine.com in a Monday email correspondence.
“As with all software it’s hard to say when a ‘beta’ is finished and ready for ‘production,’” Budd said. “In this case, at least, having the missing command-and-control components are key to it being a piece of production malware.”
Because it seems to be in a beta testing phase, researchers have not seen TSPY_POSLOGR.K being widely used, Budd said.
“[From] what we have seen [it] reads data from processes specified in the initialization file,” Budd said. “In this case it’s credit card [and] point-of-sale information. But the component flexibility means it could easily be repurposed for additional data on the infected system.”
Budd referred to the malware sample as a modular and functional component that only takes a single action out of the several involved in a POS breach. He said that other components are needed to take other actions – such as retrieving data dumps – and explained that a complete attack is likely carried out by deploying those other components as part of a package.
The analyzed sample takes actions as commanded by the configuration file, which is not present in the system by default most likely as an obfuscation step, Budd said, adding this makes it harder to understand what actions the malware is taking on infected systems.