Skip to content ↓ | Skip to navigation ↓

Security researchers have spotted two new malware strains, AbaddonPOS and Cherry Picker, that are targeting point-of-sale (PoS) terminals.

As security firm Proofpoint reveals in a blog post, AbaddonPOS was first discovered earlier this fall:

“On October 8, Proofpoint researchers observed Vawtrak [3] (project ID 5) downloading TinyLoader, a downloader that uses a custom protocol for downloading executable payloads from its command and control (C2) server,” explains Trustwave. “TinyLoader was then used to download another downloader in the form of shellcode, which then downloaded AbaddonPOS.”

The firm goes on to explain that the Angler Exploit Kit or an infected Microsoft Office document can deliver the malware, which uses evasive techniques, including the use of a CALL function to push a function parameter instead of a PUSH function, in order to avoid detection.

AbaddonPOS using CALL instruction to hinder static analysis. (Source: Proofpoint)

The malware ultimately reads the memory of all processes except itself for credit card data. As SCMagazine explains in an article, once the data is found, AbaddonPOS sends this information back to a command and control (C&C) server using a custom binary protocol.

Meanwhile, researchers with Trustwave have identified Cherry Picker, a configurable PoS malware that also uses a variety of techniques to fool analysis solutions. These include encryption, configuration files, command line arguments, obfuscation, and a special “cleaner” file that contains a “custom shredder function” that removes malware and exfiltration file locations before shredding any trace of the executable itself.

“The malware’s unique ability to clean up after itself and create a clean slate within the system is a major contributor to why it’s gone undetected for so long,” Eric Merritt, the primary researcher who observed the malware at Trustwave, told Threatpost. “In addition to cleaning up after itself, the malware draws less attention to itself by focusing on one process that is known to contain card data as opposed to targeting all processes.”

PoS malware has been prevalent in the United States in recent years. However, as pointed out by The Register, the introduction of EMV technology on credit cards could ultimately work against AbaddonPOS, Cherry Picker, and others.