LockPos, the new point-of-sale malware actively spreading in the wild.

July 14, 2017

The SonicWall Threats Research team observed reports of a new variant POS family named GAV: LockPOS.A actively spreading in the wild. LockPOS malware affecting point-of-sale systems has been discovered to rely on Windows Explorer to deliver stolen card data to the attackers.

Infection Cycle:

The Trojan adds the following keys to the Windows registry to ensure persistence upon reboot:

Once the computer is compromised, the malware copies its own executable file to %Allusersprofile%Application Data folder With Random name and then injects Explorer.exe to collects information from target system.

LockPOS retrieves a list of running processes; the malware is responsible for scraping the memory of current processes on the infected machine for credit card information periodically.

The malware tries to Enumerate Credit Card Data from POS Software. The hackers use the following API functions such as:

  • FindResourceW

  • CryptDecrypt

  • RtlDecompressBuffer

The malware generates two files [Random Name].exe and[Random Name].bin in All user profile folder. The [Random Name].exe file it's a dropper and [Random Name].bin file contains encrypted Credit Card information.

The malware sends an HTTP request to its own C&C server such as following example:

Command and Control (C&C) Traffic

LockPOS performs C&C communication over HTTP protocol.

The malware sends HTTP request to its own C&C server with following formats, here is an example:

We have been monitoring varying hits over the past few days for the signature that blocks this threat:

SonicWall Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: LockPOS.A (Trojan)

  • GAV: LockPOS.A_2 (Trojan)