PoSeidon: a new malware program targets point-of-sale systems

March 30, 2015

The Dell Sonicwall Threats Research team observed reports of a POS bot family named GAV: Poseidon.AB actively spreading in the wild. Poseidon.AB malware typically has the capability such as scraping memory to retrieve Credit Card Data during its scan.

Infection Cycle:

Md5: 5eeb39a0ba36a3f8d9789034dbba9455

The Trojan adds the following files to the system:

%SystemRoot%system32WinHost.exe [Detected as GAV: Poseidon.AB (Trojan)]]

The Trojan adds the following keys to the Windows registry to ensure persistence upon reboot:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWinHost

Poseidon retrieves all processes lists; one of the injected malicious code threads is responsible for scraping the memory of current processes on the infected machine for credit card information periodically.

The malware tries to Enumerate Credit Card Data from POS Software. To do this the attackers use API function calls such as:

CreateToolhelp32Snapshot

  • Process32First

  • Process32Next

  • OpenProcess

  • ReadProcessMemory

Here is an example of scraping the memory by malware:

The file WinHost.exe registered as services on win32 subsystem, after next restart the malware uses an injected Svchost.exe to scraping the memory and after some time it deletes its own executable file.

The Malware tries to verify Credit Cards Numbers using the Luhn algorithm and then encrypted and sent to one of the given C&C Servers such as following domains:

  • hxxps://linturefa.com/ldl01/viewtopic.php

  • hxxps://xablopefgr.com/ldl01/viewtopic.php

  • hxxps://tabidzuwek.com/ldl01/viewtopic.php

  • hxxps://linturefa.ru/ldl01/viewtopic.php

  • hxxps://xablopefgr.ru/ldl01/viewtopic.php

  • hxxps://tabidzuwek.ru/ldl01/viewtopic.php

  • hxxps://weksrubaz.ru/ldl01/viewtopic.php

  • hxxps://mifastubiv.ru/ldl01/viewtopic.php

  • hxxps://lacdileftre.ru/pes2/viewtopic.php

The malwares sends data with following format:

uid=%I64u&uinfo=%s&win=%d.%d&bits=%d&vers=%s&build=%s

Here is an example:

Command and Control (C&C) Traffic

Poseidon performs C&C communication over port 80. Requests are made on a regular basis to statically defined domains such as:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Poseidon.AB