NewPosThings.C a 64-Bit variant of POS malware released in the wild.

April 8, 2015

The Dell Sonicwall Threats Research team observed reports of a 64-Bit variant of POS bot family named GAV: NewPosThings.C. This is a new variant of the NewPoSThings malware known for targeting payment processing systems has been released in the wild. This time the threat is directed at 64-bit machines with high version numbers.

Infection Cycle:

Md5: 4196c67648003a18f61573a77b6d3be6

The Trojan adds the following files to the system:

  • %Userprofile%Application DataJavaJavaUpdate.exe

  • %Userprofile%Application DataJavaDLLx64.dll

The Trojan adds the following keys to the Windows registry to ensure persistence upon reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

    • %Userprofile%Application DataJavaJavaUpdate.exe

NewPosThings retrieves all processes lists; JavaUpdate.exe responsible for scraping the memory of current processes on the infected machine for credit card information periodically.

The Trojan has an exclusion list that functions to ignore certain system processes; it gathers track data by scanning the memory of the all running processes except for the following List:

The malware searches the registry for VNC passwords. The following keys and values are checked:

  • HKLMSOFTWARERealVNCvncserver[Password]



  • HKCUSoftwareTightVNCServer[Password]

  • HKCUSoftwareTightVNCServer[PasswordViewOnly]

  • HKCUSoftwareTigerVNCWinVNC4[Password]

Also searches for 'passwd=/passwd2=' in ultravnc.ini log file as you can see on following:

The malware tries to enumerate Credit Card Data from POS Software. Here is an example of scraping the memory by malware:

Command and Control (C&C) Traffic

NewPosThings checks if data is available for transfer to the command and control (C&C) server every 10 minutes. The collected data is sent to the server via HTTP protocol. The Malware performs C&C communication over port 80. Requests are made on a regular basis to statically defined domains such as:

The Malware transfers Credit Card data in Base64 format, here is an example:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: NewPosThings.C