FighterPOS Malware Can Now Spread on Its Own

Posted on

Brazilian POS malware gets worm-like features. A POS (Point of Sale) malware family has just taken a dangerous turn in its evolution after Trend Micro researchers observed that it has now gained the ability to replicate itself and spread to other local systems.

Called FighterPOS, this malware family was first seen in April 2015, when Trend Micro researchers discovered it targeting POS terminals in Brazil.

At that time, researchers speculated that FighterPOS was a one-man operation, probably run by a local Brazilian hacker. Trend Micro also reported that the person behind the malware used it to steal 22,000 credit card details and that its author was selling a version of his malware on the Dark Web for around $5,000 (€4,500).

FighterPOS evolves into Floki Intruder

Based on data picked up by their security products, the same Trend Micro experts are nowreporting on a new variation of the FighterPOS malware family, which they dubbed Floki Intruder.

According to their investigation, this variant is not developed by the same person that created the original FighterPOS malware. It appears that the source code was sold to someone else, or that the hacker behind the first version might have joined forces with someone else.

File compilation details reveal that a different person put together Floki Invader, a theory that’s also reinforced by the fact that many source code functions and comments are now in English, not Portuguese as they were in FighterPOS.

Floki Intruder can replicate itself

Floki Intruder appears to be much dangerous than the old FighterPOS version. The main difference is the presence of a worm-like feature that goes into effect after Floki infects computers.

This worm-like feature will scan the local network for similar POS terminals, clone itself and infect those devices as well.

“Adding this routine, in a way, makes sense: given that it is quite common for PoS terminals to be connected in one network,” Trend Micro’s Erika Mendoza and Jay Yaneza explain. “A propagation routine will not only enable the attacker to infect as many terminals as possible with the least amount of effort, it will also make this threat more difficult to remove because reinfection will occur as long as at least one terminal is affected.”

Despite the presence of English code in the malware’s source, FighterPOS (Floki Intruder) has not moved outside Brazil. Over 93% of all FighterPOS infections are coming from Brazil while only 6% of infected terminals are located in the US.

Floki Intruder geographical spread

Floki Intruder geographical spread

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s