Skip to content ↓ | Skip to navigation ↓

Security researchers have unveiled a new breed of point-of-sale (POS) malware, known as GamaPOS, infecting organizations across several U.S. states.

According to the group of researchers, the malware is among the latest threats capable of scraping credit card data off of payment systems, and is being distributed through Andromeda – a well-known botnet that originally surfaced back in 2011.

“The GamaPoS threat uses a ‘shotgun’ or ‘dynamite fishing’ approach to get to targets, even unintended ones,” explained the researchers. 

“This means that it launches a spam campaign to distribute Andromeda backdoors, infects systems with PoS malware, and hopes to catch target PoS systems out of sheer volume,” they added.

Based off the researcher’s initial scans, they identified a number of organizations infected by GamaPOS across the United States: Arizona; California; Colorado; Florida; Georgia; Illinois; Kansas; Minnesota; Nevada; New York; South Carolina; Texas; and Wisconsin. Some organizations in Vancouver, Canada, may have also been affected, although to a lesser scale.

The researchers also noted that the GamaPoS malware seems to have specific targets in several industries worldwide, including home health care, pet care, furniture wholesale, online market stores, consumer electronics companies, employment agencies and professional services, credit unions, restaurants, as well as industrial supply distributors, among others.

“The GamaPoS infection starts when victims access malicious emails that contain attachments such as macro-based malware or links to compromised websites hosting exploit kit content. This kind of modus operandi is similar to past Andromeda revivals,” wrote the researchers in a blog post.

Once converted into Andromeda bots, the infected machines can be manipulated via a control panel, giving attackers the capability to perform certain commands, leveraging the Mimikatz and PsExec tools to gain control.

GamaPoS_01
Source: TrendMicro

“Businesses that use Visa, Discovery, and Maestro (among other credit and debit cards) risk losing their customers’ data to GamaPoS,” warned the researchers.

As of now, the researchers estimate that GamaPOS may have only hit 3.8% of those affected by Andromeda.