In the UK we don’t often come across brand new POS malware, presumably as we are in a Chip & PIN market, so the “return” for attackers on deploying such technology is limited. Last week though, we did come across what appears to be a new sample that we’re calling TinyPOS.
While the sample is a typical memory scraper, it appears to be “hand rolled” assembly language and comes in at only 5120 bytes. The malware contains an old school exclusion list that performs extremely rapid double word comparisons rather than the slower but far more common string comparisons to identify which process to ignore, and internally validates the identified account data through an implementation of the Luhn algorithm.
The malware exfiltrates the collected account data directly to an external Command and Control (C2) Server in Eastern Europe, but unusually the communications utilise “raw” TCP sockets rather than the HTTP protocol that has become the norm in POS malware. The data is encoded prior to transmission using a dword XOR routine, so IDS technology is unlikely to see raw Track data flying around a compromised network.
We’ve seen two variants at this point in time, although they're almost identical, and we will provide additional information over the next few days. Hash values for the samples seen are below.
Is your business under attack?
If you suspect your business may be under attack, we may be able to help. Click on the link below to find out about our Digital Forensics & Incident Response Team - we support clients locally and globally.