Skip to content ↓ | Skip to navigation ↓

Security researchers have discovered a new family of sophisticated point-of-sale (PoS) malware, capable of stealing credit and debit card data from retailers’ payment systems.

Dubbed “PoSeidon,” the malware program scrapes memory from infected machines in search of valid credit card information, and stealthily exfiltrates the data to servers – the majority of which are hosted on Russian (.ru) domains.

“At a high level, it starts with a Loader binary that upon being executed will first try to maintain persistence on the target machine in order to survive a possible system reboot,” explained the researchers in a blog post.

Source: Talos

The loader then contacts a command and control (C&C) server, which responds by sending a URL containing another binary, FindStr, to download and execute. A keylogger is installed, and begins scanning the memory of the PoS device for number sequences of potential credit card numbers.

Next, the numbers are verified as payment card numbers using the Luhn algorithm. Keystrokes and credit card numbers are then encoded and sent to an exfiltration server.

According to the security researches, the keylogging feature could have been used to steal passwords, and may have been the initial infection vector.

PoSeidon is seen to resemble the capabilities of the infamous Zeus baking Trojan, as well as BlackPOS – the malware responsible for the massive breach at Target in 2013, and the Home Depot compromise last year.

“PoSeidon is another in the growing number of Point-of-Sale malware targeting PoS systems that demonstrate the sophisticated techniques and approaches of malware authors,” said the researchers.

As long as PoS attacks continue to provide returns, attackers will continue to invest in innovation and development of new malware families, warned the security team.

Network administrators are advised to remain vigilant and adhere to industry best practices to mitigate advanced malware threats.