Security News

PoSeidon: a new malware program targets point-of-sale systems

By

The Dell Sonicwall Threats Research team observed reports of a POS bot family named GAV: Poseidon.AB actively spreading in the wild. Poseidon.AB malware typically has the capability such as scraping memory to retrieve Credit Card Data during its scan.

Infection Cycle:

Md5: 5eeb39a0ba36a3f8d9789034dbba9455

The Trojan adds the following files to the system:

%SystemRoot%system32WinHost.exe [Detected as GAV: Poseidon.AB (Trojan)]]

The Trojan adds the following keys to the Windows registry to ensure persistence upon reboot:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWinHost

Poseidon retrieves all processes lists; one of the injected malicious code threads is responsible for scraping the memory of current processes on the infected machine for credit card information periodically.

The malware tries to Enumerate Credit Card Data from POS Software. To do this the attackers use API function calls such as:

CreateToolhelp32Snapshot

  • Process32First

  • Process32Next

  • OpenProcess

  • ReadProcessMemory

Here is an example of scraping the memory by malware:

The file WinHost.exe registered as services on win32 subsystem, after next restart the malware uses an injected Svchost.exe to scraping the memory and after some time it deletes its own executable file.

The Malware tries to verify Credit Cards Numbers using the Luhn algorithm and then encrypted and sent to one of the given C&C Servers such as following domains:

  • hxxps://linturefa.com/ldl01/viewtopic.php

  • hxxps://xablopefgr.com/ldl01/viewtopic.php

  • hxxps://tabidzuwek.com/ldl01/viewtopic.php

  • hxxps://linturefa.ru/ldl01/viewtopic.php

  • hxxps://xablopefgr.ru/ldl01/viewtopic.php

  • hxxps://tabidzuwek.ru/ldl01/viewtopic.php

  • hxxps://weksrubaz.ru/ldl01/viewtopic.php

  • hxxps://mifastubiv.ru/ldl01/viewtopic.php

  • hxxps://lacdileftre.ru/pes2/viewtopic.php

The malwares sends data with following format:

uid=%I64u&uinfo=%s&win=%d.%d&bits=%d&vers=%s&build=%s

Here is an example:

Command and Control (C&C) Traffic

Poseidon performs C&C communication over port 80. Requests are made on a regular basis to statically defined domains such as:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Poseidon.AB

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
Waledac SMS Spy Trojan (April 16, 2009)
FakeRansom: Deletes files then demands payment for nothing (Jul 15th, 2016)
Linux-based IRCBot spotted in the wild (Sep 18, 2015)
Egregor Ransomware
Browserlock (July 25,2014)
Ransomware asking victims to subscribe to a YouTube channel
Apache Struts Dynamic Method Invocation Remote Code Execution (CVE-2016-3081)
Info stealer module leaks process information (Oct 16th, 2015)