The point-of-sale (POS) terminals of a North American merchant were compromised earlier this year with a combination of POS malware, Visa says.
The organization studied malware variants used in separate attacks on two North American merchants in May and June 2020, one of which used a TinyPOS version, while the other contained a mixture of malware families such as MMon (aka Kaptoxa), PwnPOS, and RtPOS.
Phishing emails were sent to the staff of a North American hospitality merchant to compromise customer accounts, including an administrator account, as part of the first attack, and legal administrative tools were used to enter the network’s cardholder data environment (CDE).
First, to capture Track 1 and Track 2 payment card data, the attackers deployed the TinyPOS memory scraper and leveraged a batch script to spread the malware en masse across the network. There were no network or exfiltration features in the evaluated malware sample.
The malware will enumerate processes operating on the device to classify those relating to particular POS programme in addition to collecting card data and storing it for exfiltration.
As for the second attack, although Visa researchers were unable to determine the exact vector of penetration, they were able to collect information indicating that the opponent used remote access software and credential dumpers for initial entry, lateral transfer, and deployment of malware.
It did not restore the malware used in these stages of the breach. Visa describes in a technical report that the POS malware variants used in this attack attacked track 1 and track 2 payment account information.
The RtPOS sample used in this attack, using a Luhn algorithm, iterates the available processes to classify those of interest, gains access to the memory space of the compromised device, and tries to verify all the Track 1 and Track 2 data it discovers.
MMon (‘memory monitor’), also known as IP on underground forums, has been around for about a decade, and POS scraping malware such as JavalinPOS, BlackPOS, POSRAM, and more has been driven so far.
By installing itself as a program, PwnPOS can achieve consistency, employs the Luhn algorithm to classify card data and writes the data to a plain text file, and logs its own general actions to a log file.
Merchants are recommended to use accessible IOCs to enhance identification and remediation, safe remote access, use specific credentials for each user account, monitor network traffic, enforce network segmentation, allow behavioral identification, and ensure that software is up-to-date with the latest updates in order to reduce the possibility of vulnerability to POS malware.