Retailers are urged to tread lightly after another piece of point-of-sale malware has been found and seen traded on the underground markets.
The malicious software, known as LusyPOS, was submitted on Nov. 30 to VirusTotal – a free online virus, malware and URL scanner. The tool revealed the malware is now currently detected by 30 of its 55 AV engines.
Security researchers claimed the malware seems to be the first of its kind and larger in size than other POS samples analyzed. Reverse Engineers Nick Hoffman and Jeremy Humble at CBTS explained the malware seems to be a cross between older POS malware incorporating “Dexter-like behavior with Chewbacca-like techniques.”
Similar to Chewbacca, LusyPOS utilizes Tor (The Onion Router) to anonymize the command and control server. In a January report, Chewbacca was found to have successfully infected 119 PoS terminals from 45 unique retailers, with indications that more than 50,000 unique payments cards had been compromised.
Meanwhile, LusyPOS’ ability to steal the process list and use registry keys to attain persistence on the infected machine was seen in the custom-made Dexter malware, originally discovered back in 2012.
However, Security Analyst Ken Westin at Tripwire explained the malware could provide organizations with another means of detection: “POS devices should not be accessing the Internet in the first place, let alone be able to connect through Tor. Host based intrusion detection systems such as Tripwire Enterprise will also detect when the the Tor files get written to a system, as well as many of the other changes on the system made by the malware.”
Although malware continues to evolve with increasingly sophisticated techniques, Westin adds there are still a number of ways to detect it in a retail network environment.
“First and foremost, retailers cannot rely on a single solution, such as anti-virus to protect their networks,” said Westin.
“To mitigate the risks these new families of malware targeting point-of-sale systems pose, organizations need to monitor any changes being made on the host, identify anything that even looks like a credit card number being written to files or being transferred across the network.”