POS Malware (Stealth tool to steal the valuable Card Details in your Pocket)

Card in hand for POS swipe image

Its again a holiday season, everyone is enjoying at their extreme and so are the hackers, so before going reckless  just wait and have a look at the breaches that happened in  the past 2 years. We tried to analyze the exploitation patterns of PoS malwares from the technological as well as physical standpoint and believe it or not but YOU ARE NOT SECURE.

Point-of-Sale RAM scrapers are what’s making the news

Let us take a step backward and try to analyze the TARGET breach, although most of the exploitation scenario is in open public but then also there was a point of weakness or what we call as vulnerability and we will try to concentrate over that solely.

You would think that in order to steal the Credit Card Data of hundreds of millions of Target shoppers, the attackers would certainly need to have compromised some payment processor or Target’s corporate servers and then stole all the data from one central location but pause for a second, who in this 21st Century wants to spend so much time and labor for fetching out the Credit Card Data.

For sure, this would have been a good way to go about stealing massive troves of payment data from a retail giant, but, nevertheless, this is not what happened in the case of Target.

In fact, Target’s payment processor or payment processing system had very little to do with the breach. Whosoever was responsible for the attack deployed a special kind of malware that basically targets card readers and cash registers – also known as point-of-sale (PoS) malware.

“To be perfectly clear, the attackers most definitely locked into Target’s corporate payment servers in some way. The problem with that though is by the time the card-data makes it to those servers, the information has already been encrypted.  However there is a brief period of time in between where that information must be decrypted in plain-text for payment authorization purposes. In that small time window, in the cash register itself – or a nearby server depending upon the system, the Credit Card data was stolen”

Sounds exciting right, that how the attackers without even compromising the Fortress like Network Architectures of these Big Giants took a short path and attacked the Point-of-Sale device which is available in public and gets the least of attention.

Symantec accumulated all the data of POS Malware and showed it through a Time Graph which will give us an idea of the PoS Generation from its inception.

Now we will be explaining a handful of malwares from a technical point of view which will help us understand the sophistication and the advancement in the capabilities of malwares over a period of time-line.
Trend Micro provided a graphical structure which showed the Family of PoS RAM Scraper:

This gives us a brief idea about the forefathers of PoS RAM Scraper malwares and also the dependency factors between each one of them. It also helped us during the preparation of the blog to focus and study a few of them who forms the baseline for these malware.

POS Malware 1: Rdasrv

Once upon a time (4 years ago) there were some strategical developments in POS malwares, whose specific target were those organizations whose investment was pretty less in defensive counter-measures. Those specifically included education and hospitality industries.

The exact significance behind the development of this malware was to circumvent the protections provided by being PCI DSS compliance i.e. “Entity can’t store PAN unless it is encrypted”.

The malware only searched for hard coded process names in its binary unlike other traditional malware who analyse the running processes. What particularly “Rdasrv” did is that it traversed over all the running processes in the memory, searching for a target process name using the string-compare function.

In case it found the target, it called the “OpenProcess” using the “PROCESS_ALL_ACCESS” flag to obtain a handle and then read the memory’s content using “ReadProcessMemory”.

“Rdasrv” targeted the following processes:

The malware used Regular Expression of Perl to match the Track 1 and Track 2 data that are hardcoded in the malware binary run on the process memory content that “Rdasrv” read.

Tracks 1 and 2 credit card data scraped from the process memory were written to disk in a file called “data.txt” or “current.txt.” As Rdasrv does not have data-exfiltration functionality, the data files were manually removed or retrieved via remote access.

POS Malware 2: Alina

One year later a new malware popped-up that holds a great significance till today as well. As per the version history the latest known version is 6.x. A few anti-virus firms identified similar samples as JackPOS, which was discovered as early as in the beginning of 2014 and a recent development came into picture named “Spark” (name given by “Spiderlabs”) in October or November 2014.

The following procedure was employed by the malware as shown below:

Encryption Mechanism:

ALINA’s Binary was hardcoded with several addresses of C&C servers. The compromised system tried to connect with these by the help of status codes. If any server didn’t respond to the signal then it contacts the next hardcoded server.
Now, before sending exfiltrated data to the C&C Servers, ALINA follows the following process:

  • It first applies hexadecimal encoding on the Track 1 and Track 2 data.
  • The encoded data is encrypted using XOR encryption and the key is stored in the header of the data packet.
  • Header is again encrypted with XOR encryption and the packet is sent to the designated C&C server which replied with the status code.
  • Build and Maintain a Secure Network
  • Regularly Monitor and Test Networks
  • Application Whitelisting

The ALINA malware doesn’t consolidates itself to just a few number of known PoS applications but it spreads out into the environment with the help of social engineering tactics which help it in the propagation and with the maturity of the codebase it is celebrating its recurring success.

POS Malware 3: Carbanak

New York Times reported on 14th February 2015 that “Bank Hackers Steal Millions via Malware” and as per Sergey Golovanov of Kaspersky – “The goal was to mimic their activities,” about how the thieves targeted bank employees.

Ever seen in a TV commercial that a Candy machine is dispensing indefinite candies or a cold drink machine is doing something similar, well of course you would have. The same thing happened in Late 2013 in the Capital city of Ukraine, an A.T.M. started dispensing cash at seemingly random times of day without putting any cards or operating anyhow and the money was taken up by the customers who were fortunate enough to be there at the right time.

One of the major cyber security firms was called for the investigation named – Kaspersky lab .By only a little bit of investigation they came up with a great heist and told the Bank that the corrupt ATM machines are nowhere near to the amount of breach that they are facing and about which they are unaware.

The malware had already penetrated deep down the PC’s of the bank personnel’s whose daily work was either fund transfers or bookkeeping. The malware installed a ‘RAT’ (remote access toolkit) and used to send picture feeds to the base locations in Russia, China and many European countries. The picture feeds depicted the routine work culture of the Bank’s employees which led to the next phase of the breach which was impersonating as bank officers which not only led to the rapid dispensing of cash from the ATM’s but also led to huge funds transfers from accounts in Russia, Japan, Switzerland, United States and Netherlands into dummy accounts in other countries.

In the recent feed from Kaspersky Lab they claimed that there were more than 100 banks in not less than 30 countries that got hit by this malware.

Certainly, this group stole near about USD $1 billion, even if the Kaspersky report is a couple of months late, or generous to the attackers by a few hundred million bucks.

The Kaspersky report also referenced some of the victim banks in the United States, although the New York Times story notes that the majority of the targeted financial institutions were situated in Russia. The Group-IB/Fox-IT report did not mention US banks as victims.

Financial Services Information Sharing and Analysis Centre, told in a public press meeting “our members are aware of this activity. We have dispersed intelligence on this attack to the members,” and that “some briefings were also provided by law enforcement entities.

MD Kaspersky North America Chris Doggett in a public conference said “This is likely the most sophisticated attack the world has seen to date in terms of the tactics and methods that cyber criminals have used to remain covert”

Following is an example of Carbanak spear phishing email:

The malware starts its exploitation by getting hold of the remote code execution vulnerability and immediately installs Carbanak. Kaspersky labs also found traces of the Null and the RedKit exploit kits.

Statistics of victims found by Kaspersky Labs and the columns above translates to

Country name, All visitors, Unique visitors, Banned visitor, Revoked infections, Infected.

Despite increased awareness of cyber-crime within the financial services sector, it appears that spear phishing attacks and old exploits remain effective against larger companies. Attackers always use this minimal effort approach in order to bypass a victim´s defences.

Will new technologies render POS malware obsolete?

New Card Security technologies such as EMV chip or using tokenization etc. are being considered as an effective countermeasure for the never ending PoS malware but everyone knows that it’s not a silver bullet. The countermeasures will impact on reducing the number of breaches but will not eradicate it completely off the radar.

The Chip-and-PIN standard itself may be superseded at some point of time by the adoption of NFC mobile payment solutions such as Apple Pay, Google Wallet or CurrentC and we won’t need the Chip-and-PIN standard in the upcoming era as by use of these payment technologies, the credit card numbers are not transmitted during the transaction process. NFC is still susceptible to exploitation by attackers, but most attacks require physical proximity, making large-scale thefts almost impossible.

Advice for Consumers

Encryption mechanisms for Point of Sale networks has been in the market for pretty long and is also being employed by the vendors at a much faster due to the stringent requirements from PCI SSC. However new techniques for exploitation will be developed by the attackers as per the countermeasures being introduced from the security foundations.

There are several steps we can take to remain vigilant against this type of fraud (As suggested by Symantec):

  • Monitor your bank account and credit card statements for any strange or unfamiliar transactions.
  • Notify your bank immediately if you notice anything suspicious.
  • Small transactions, such as a $1 charitable donation, are often used by criminals to test if a card is still usable.
  • Carefully guard personal information such as your address, your Social Security number, or date of birth, and don’t use easily guessed passwords or PIN codes.
  • All of these details can be used to facilitate identity theft and defeat additional security checks.


Organizations that are storing, processing and/or transmitting card data (Credit/Debit) transactions are required to meet the security requirements specified by the Payment Card Industry Data Security Standards (PCI DSS).

Kaushik Pandey
SISA’s Latest
close slider