A new family of PoS malware has been discovered and analyzed by Trend Micro researchers.
They dubbed it PwnPOS, and believe that it has been in used since 2013, possibly even earlier. So how come it took so long for it to be spotted?
"PwnPOS is one of those perfect examples of malware that’s able to fly under the radar all these years due to its simple but thoughtful construction," they explained.
Made of two components - a RAM scraper binary and a binary responsible for data exfiltration - PwnPOS works similarly to most other known POS smalware: it enumerates all running processes, it searches for payment card data and dumps it into a separate file, then compresses and encrypts it, and exfiltrates it via an email to a pre-defined mail account via SMTP with SSL and authentication.
"Rather than utilizing a third-party executable to send email, it utilizes a known AutoIt routine that makes use of the Collaboration Data Objects (CDO) API suite that is built-in with Microsoft Windows," Threats Analyst Jay Yaneza
shared.
