In a previous blog, we discussed why Point of Sale (POS) devices remain such an attractive target and described some different attack methods. As you can see from the infographic below, retail and POS have been (pardon the pun) “Targets” on an ongoing basis for the past few years, and the trend doesn’t appear to be reversing, even with technologies such as EMV and P2PE. In this blog, we describe some of the different families of this malware.
POS Malware Common Features
Families of this malware typically utilize similar techniques as their end goal is the same – to steal account details, and especially payment card information.
Card Data Mining
Credit card data (track 1 and track 2 information) is often stored in plain text in memory on the POS device. Several variants of the malware leverage memory scraping capabilities to capture the credit card data using regular expressions (RegEx), when searching through memory to find it. In fact, different families of malware sometimes share parts of RegEx or the entire RegEx. Regular expressions are an easy way to search for patterns that identify specific kinds of data; however, they can be computationally inefficient. Because of this, other malware variants use custom search algorithms to make their searches more efficient. Usually, these custom search algorithms will look for specific pieces of information: track delimiters, account number prefixes that correspond to major card issuers, primary account number (PAN) length, and some validate PANs using the Luhn algorithm. When the malware uses targeted custom searches, rather than scanning all data for patterns, the activity associated with the malware becomes more difficult to detect.
Process injection and blacklisting
Some of this malware reduces their footprint to avoid detection by injecting processes. In addition to this they increase performance by limiting the number of processes used in memory scraping. Some kinds of malware scrape memory from every process to increase the likelihood of obtaining useful information; however, this also increases the odds that someone will notice the malware. To avoid this, most POS malware has a blacklist of processes that are omitted from memory scraping and it instead targets a few specific processes.
A common feature of malware that usually accompanies memory scraping is key logging. Key logging allows attackers to capture PINs in addition to account numbers. PIN pads are usually recognized by an operating system as a keyboard device, so attackers don’t need to write fancy new key logging codes to steal data from PIN pads.
Once the malware has captured account details using the above techniques, attackers need to have some way of accessing this data. Some types only store the data locally and don’t have built-in exfiltration features. In such cases, attackers have to manually retrieve the data – typically via some kind of remote session, though manual recovery through physical access is also a possibility.
However, many variants of this malware do have built-in exfiltration features that send stolen data to drop sites or command and control servers. Data exfiltration can take many forms. It can range from exfiltration via e-mail, FTP, HTTP, HTTPS, DNS, TOR or other protocols. Some transmit data in plaintext while others obfuscate or encrypt data before transmission.
Stealing credit card account details is not always the only objective of this malware. Some variants can also incorporate other standard Trojan features such as:
- Credential harvesting (from browsers and remote access software)
- File download/upload capabilities
- File management
- Anti-detection capabilities
Description of specific malware families
Now that we have a good understanding of the various capabilities of POS malware, we can look more closely at behaviors associated with some of the best-known malware families.
Rdasrv was one of the earliest identified POS RAM scrapers, discovered in early 2011. Rdasrv functions in a manner that is distinct from all other POS RAM scrapers. Instead of looking at all of the processes, it only inspects processes that are hard coded into the malware itself. Patterns that match are written to a text file for manual exfiltration at a later date.
Back in 2012 reports emerged on Dexter. Dexter has infected hundreds of point-of-sale computers at big name retailers, hotels, restaurants, and other businesses, according to a report issued by Aviv Raff, chief technology officer of Israel-based security firm Seculert. 
Dexter steals payment card data from the POS system and sends it to a remote C&C server. The source code for Dexter was leaked sometime ago, leading to many variants being created even to this day as people improve upon the code base.
Alina is a fairly well known POS RAM scraper family, which was discovered in October 2012. As of the writing of this document, Alina variants are still being actively developed by the malware writing community. As a result, its methods of persistence, RAM scraping, and data exfiltration can vary from version to version. For example early versions sent data in plain text, while later ones utilized exclusive or XOR- based encryption, or established contact with multiple C&C servers, etc. Alina variants cast a wider net than other families because targeted processes are not hard-coded, making the malware more versatile and able to target a larger set of victims. 
BlackPOS rose to fame, or perhaps infamy, when it was discovered on the POS systems in retail giant Target, in December 2013. However, back in 2012, the source code of BlackPOS was leaked, which enabled many parties both malicious and non-malicious to examine and improve its codebase. It maintains persistence by masquerading as an AntiVirus program. The exfiltration methods used by the BlackPOS are fairly simple: track 1&2 payment card data is written to a file and offloaded to a FTP for later extraction. 
Like BlackPOS, FrameworkPOS rose to infamy after it was found on the POS systems of another major retailer, The Home Depot. FrameworkPOS achieves persistence by installing a Windows Service, which starts at system boot and restarts. The service name is "McAfee Framework Management Instrumentation”, a name likely chosen to allow it to further blend in. Like many malware families, FrameworkPOS has many variants, one of which stands out due to its method of data exfiltration. Another variant utilizes DNS requests to exfiltrate date, instead of the standard write file to a FTP (as seen during the Home Depot breach). 
Chewbacca was discovered on the POS systems of several dozen different retailers around the world in late 2013. To maintain persistence, it installs itself as “spoolsv.exe” in the startup folder. After installation, the keylogger creates a file called “system.log” inside the system %temp% folder, logging keyboard events and window focus changes. Chewbacca also scrapes memory and utilizes regex to extract track 1 & 2 data of payment cards from the infected system. The extracted information is then transported via tor to a C&C server concealing the real IP address of the Command and Control (C&C) server(s), encrypting traffic, and avoiding network-level detection.
Unlike many of the earlier malware families, Backoff was not built with a specific target in mind, which has allowed it to be used to cause a large number of data breaches. One of the larger ones targeted UPS stores between January and August, 2014. Backoff is also unique in that it uses a runtime packer to protect it from being detected. To maintain persistence Backoff will create an encrypted copy of itself. If the malware stops running for any reason, nsskrnl will be decrypted and executed to re-infect the system by utilizing a code that was injected into an explorer.exe process. Exfiltration and remote control is accomplished by communicating with a remote C&C via HTTP. 
The malware dubbed Cherrypicker POS has been around undetected since roughly 2011. It avoids detection by the use of encryption, obfuscation and cleaning up after itself. It injects various based upon it’s configuration and memory scrapes for track 1 and track 2 data, which is then logged. The logged file is then encrypted for communication back to the remote FTP.
AbaddonPOS is a simplistic piece of malware, coming in at around 5 KB in size. The malware implements several anti-analysis and obfuscation techniques to make manual and automated analysis difficult. To acquire track 1& 2 data the malware scraps all processes memory except it’s own. The majority of the AbaddonPOS’s code is not obfuscated with the exception of the code to encode and transmit payment card details. Which could be explained because unlike many malware families which utilize existing prototols, such as HTTP/IRC/Tor to communicate with a c&c, Abaddon developers created their own binary encoded protocol to exfiltrate data.
The following correlation rules from AlienVault USM are used to detect activity from the aforementioned threats:
- System Compromise, Malware infection, Dexter POS
- System Compromise, Malware infection, Alina POS
- System Compromise, Trojan infection, BlackPOS
- System Compromise, C&C Communication, FrameworkPOS
- System Compromise, C&C Communication, FrameworkPOS DNS Channel
- System Compromise, Trojan infection, Chewbacca
- System Compromise, C&C Communication, JackPOS
- System Compromise, Trojan infection, vSkimmer
- System Compromise, C&C Communication, Backoff POS
- System Compromise, C&C Communication, Backoff POS - SSL certificate
- System Compromise, Malware infection, FighterPOS
- System Compromise, Malware infection, BernhardPOS
- System Compromise, Malware infection, FindPOS
- System Compromise, Malware infection, Nitlove
- System Compromise, Malware infection , PunkeyPOS
- System Compromise, Trojan infection, NewPosThings
- System Compromise, C&C Communication, DecebalPOS
- System Compromise, Malware infection, POSCardStealer
- System Compromise, Trojan infection, CherryPickerPOS
- System Compromise, Trojan infection, AbaddonPOS
For the security researcher, POS malware is an area of research that is of growing interest. Learning about the different families of malware is useful in this research, as it makes variants easier to identify and detect. Understanding the families with similar code base saves valuable time during research, especially when responding to the incident breaches – it is not necessary to view every new malware as something brand new. Lazy attackers are simply modifying existing malware to evade detection in many cases.
The following infographic lists most of the recent breaches at retailers caused by the malware we've discussed, depicting an overview of impact.