What Is It?
Recently, researchers have discovered a new and sophisticated variant of the LockPOS point-of-sale (POS) malware. The purpose of this malware is to extract payment card data from the memory of an infected point-of-sale system and send that data back to the attackers.
The most concerning aspect of LockPOS is that it improves upon a method that an earlier POS malware, Flokibot, used to avoid detection by endpoint anti-virus products. Aside from multiple stages of unpacking and decrypting itself, LockPOS first obtains a copy of a core Windows file (ntdll.dll) by mapping it from the system’s disk. This process ensures the malware is calling a “clean copy” of the file, therefore bypassing hooks used by anti-virus products to monitor system activity. LockPOS then injects the malicious payload into the kernel, again bypassing anti-virus products.
Researchers note that this malware required significant resources and technical skill to develop. This reflects the potential high monetary returns from a successful POS breach. POS malware is a great concern for any business, as the reputational losses and potential settlement and regulatory costs stemming from a major POS breach can have a large impact, as we have seen in several breaches including Target and Home Depot.
How Does It Propagate?
The LockPOS malware does not self-propagate.
The malware is being spread by the same botnet that previously delivered the Flokibot POS malware, which could be any device on the corporate network which has visibility to the POS devices.
When/How Did BluVector Detect It?
BluVector’s patented machine learning malware detection engine detects the LockPOS malware as malicious. Regression testing on the sample has shown the file would have been detected by BluVector 48 months prior to its release.