Botnet bruteforcing Point Of Sale terminals via Remote Desktop

March 11, 2014  |  Jaime Blasco

Every single day our automated systems analyze hundreds of thousands of malicious samples. Yesterday one of the samples caught my attention because the malware started performing bruteforce attacks against Remote Desktop using certain username and passwords.

MD5: c1fab4a0b7f4404baf8eab4d58b1f821

Other similar samples:

Once started the malware copy itself to Documents and SettingsAdministratorApplication Datalsacs.exe and starts the communication with the C&C sending data about the status of the bot (number of hosts bruteforced, packets per second, number threatds, version, etc).

and the server replies with a configuration block containing:

- Login/Password list to use during bruteforcing

- Timestamp

- List of IP Addresses to attack

- Number of threads to use

- Interval 

As you can see some of the user/passwords that they are using (pos, pos1, pos01, shop, station, hotel, atm, atm1, micros, microssvc) are the default ones commonly used in Point of Sale terminals by retailers and businesses all around the world.

The control panel of the botnet is also hosted in the same server:

This is not new, we know cybercriminals have been using this technique to compromise Point of Sale systems for years. Once they gain access to the terminal using one of the default credentials, they upload a second stage payload commonly known as a memory scrapper that is a piece of malware that searchs for credit card data in memory before it has been encrypted. Some examples are:

- BlackPOS

- VSkimmer

- RetalixScrapper

- Dexter

These pieces of malware are able to extract the credit card data from the terminal and exfiltrate the data to the attackers that will then sell the information in the black market.

When it comes to detect the infection of a system in your network, this is how our AlienVault Unified Security Management (USM) will detect a compromised assset in your network:


USM is able to detect both the communication wit the the C&C server and the network activity that is generated when the malware performs bruteforce attacks against devices on the Internet. It is worth mentioning that the C&C server IP address was already in our Open Threat Exchange database and the correlation engine used that information to generate an alarm about a system compromise.



If you want to try yourself you can download our Open Source SIEM - OSSIM or the Free 30 day trial of AlienVault Unified Security Management (USM)

We have shown how these threats can impact companies using Point Of Sale terminals, specially those retailers and medium and small businesses that don't have visibility into the systems that are part of their networks and handle credit card information.

Some recommendations to protect against these kind of attacks are:

- Change default credentials of POS systems

- Configure an access control list

- Keep your software up-to-date

- Install an Antivirus solution

- Centralize and monitor the logs from your POS systems to detect potential security breaches

Share this with others

Get price Free trial