New GamaPoS malware targets US companies

July 24, 2015

The Dell Sonicwall Threats Research team observed reports of a New POS family named GAV: GamaPOS.ABC. The POS Malware contains features such as memory scrapping functions like popular Point-of-Sale Trojan BlackPOS but this time the Malware spreading across United States through malicious emails that contain attachments such as macro-based malware Andromeda in the wild.

The POS Malware uses valid certificates to sign the malicious components to avoid detection by AVs.

Infection Cycle:

Md5s:

  • Detected as GAV: GAMAPOS.ABC (Trojan)

    • o dc035e61535d5db2ad08d6853c7759a3

    • o 6cabaef20e08803e2e9cd380aae00bc6

    • o 685f2a756a001598ec697911c2ee11cd

    • o 1c7baed4c317e610ea991751e5d9758d

    • o 575040751b4755ecf5c9394b76b5c41c

  • Detected as GAV: GAMAPOS.ABD (Trojan)

    • o 99fd9f118eaa969976f2defb61e4582e

The Malware adds the following files to the system:

  • %Userprofile%All Usersjane.exe [ Execrable dropper ]
  • %Userprofile%All Users _temp.dat [Key logger Log ]

The Malware adds the following key to the Windows registry to ensure persistence upon reboot:

The Malware uses multi component tools to grabbing information from the infected machine and uses legitimate code-signing certificates to avoid detection by AV Vendors.

GamaPOS retrieves a list of running processes; the malware is responsible for scraping the memory of current processes on the infected machine for credit card information periodically.

The malware installs key logger on the target machine and saves information to the _temp.dat file.

Here is an example:

Command and Control (C&C) Traffic

GamaPOS performs C&C communication over 1080 port. The malware sends your system information to its own C&C server via following format, here are some examples:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: GamaPos.ABC [(Trojan)]]
  • GAV: GamaPos.ABD [(Trojan)]]