Currently at version 3.0, security researchers say that the most recently spotted samples of the point-of-sale (PoS) malware may have been compiled during the last week of January. Earlier versions (2.1 – 2.3) have also been seen in the wild, possibly compiled in December 2014.
NewPoSThings was first reported by Arbor Networks in September 2014, although analysis showed that it was under active development since at least October 20, 2013.
PoS malware impersonates Java updater
At that time, the threat ran a check of the system architecture and exited if it detected a 64-bit machine, alerting the cybercriminals of the reason of the infection failure. This suggests that such a variant was ready at that time, or in the works.
Upon installation, it replaces the JavaUpdate.exe process and sets up persistence by adding itself as a startup item in the registry under the name “Java Update Manager.”
Arbor Network’s analysis revealed that NewPoSThings looks for passwords for remote administration software such as RealVNC, TightVNC, WinVNC or UltraVNC, a tactic confirmed in a blog post on Wednesday by Jay Yaneza, threat analyst at Trend Micro.
Then it begins the memory scraping activity in search of payment card data processed by the point-of-sale machine. Keylogging activity has also been observed by the researchers, with the purpose of capturing user input.
Malware learns new tricks, infects airport locations
Yaneza says that the keylogger thread communicates with the command and control (C&C) server every five minutes if the compromised computer is connected to the Internet; every 10 minutes, a transfer thread checks whether the data is ready to be exfiltrated to the C&C.
One of the tweaks added by the malware authors in NewPoSThings 3.0 is to completely hide the path to the file that includes configuration for disabling security warnings for certain extensions (EXE, BAT, REG, VBS) on Windows.
Furthermore, it includes compatibility with Windows 7 machines, relies on a custom packer and adds some measures to prevent analysis.
The researcher says that the latest samples for version 2.x have been repackaged and come with a backdoor that has keylogging functionality, as well as the ability to start or stop the VNC session and the computer webcam, if available.
Apart from this, the backdoor checks the list of running processes and reports it to the command and control server.
“While going through C&C activity we saw, there were two that stood out. We observed attempts to connect to the C&C of the newer NewPoSThings PoS malware from IP addresses of two US-based airports,” Yaneza says, suggesting that establishments in these busy locations have become more attractive to cybercriminals.