Threat Spotlight: PoSeidon, A Deep Dive Into Point of Sale Malware

Posted on

Cisco’s Security Solutions (CSS) consists of information security experts with a unique blend of law enforcement, enterprise security and technology security backgrounds. The team works directly with Cisco’s Talos Security Intelligence & Research Group to identify known and unknown threats, quantify and prioritize risk, and minimize future risk.

When consumers make purchases from a retailer, the transaction is processed through Point-of-Sale (PoS) systems. When a credit or debit card is used, a PoS system is used to read the information stored on the magnetic stripe on the back of the credit card. Once this information gets stolen from a merchant, it can be encoded into a magnetic stripe and used with a new card. Criminal markets exist for this valuable information because the attackers are able to easily monetize stolen credit card data. Incidents involving PoS malware have been on the rise, affecting many large organizations as well as small mom-and-pop establishments and garnering a lot of media attention. The presence of large amounts of financial and personal information ensures that these companies and their retail PoS systems will remain attractive targets.

Threat Spotlight: PoSeidon, A Deep Dive Into Point of Sale Malware
Threat Spotlight: PoSeidon, A Deep Dive Into Point of Sale Malware

There is new a malware family targeting PoS systems, infecting machines to scrape memory for credit card information and exfiltrate that data to servers, also primarily .ru TLD, for harvesting and likely resale. This new malware family, that we’ve nicknamed PoSeidon, has a few components to it, as illustrated by the diagram below:

At a high level, it starts with a Loader binary that upon being executed will first try to maintain persistence on the target machine in order to survive a possible system reboot. The Loader then contacts a command and control server, retrieving a URL which contains another binary to download and execute. The downloaded binary, FindStr, installs a keylogger and scans the memory of the PoS device for number sequences that could be credit card numbers. Upon verifying that the numbers are in fact credit card numbers, keystrokes and credit card numbers are encoded and sent to an exfiltration server.

Technical details
The file with SHA256 334079dc9fa5b06fbd68e81de903fcd4e356b4f2d0e8bbd6bdca7891786c39d4 could perhaps be at the source of the PoS system compromise. We call this file KeyLogger based on debugging information found in the binary:

Upon execution, this file copies itself to either %SystemRoot%\system32\<filename>.exe or %UserProfile%\<filename>.exe and adds registry entry under HKLM (or HKCU)\Software\Microsoft\Windows\CurrentVersion\Run.

The file also opens HKCU\Software\LogMeIn Ignition and enumerates the keys for the account sub key, opens it and deletes the PasswordTicket Value and obtains the Email Value. Also deletes registry tree HKCU\Software\LogMeIn Ignition\<key>\Profiles\* .

The file sends to an exfiltration server by POSTing data to one of these URIs:

The URI format is


The Keylogger component was potentially used to steal passwords and could have been the initial infection vector.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s