PoSeidon: a new malware program targets point-of-sale systems
The Dell Sonicwall Threats Research team observed reports of a POS bot family named GAV: Poseidon.AB actively spreading in the wild. Poseidon.AB malware typically has the capability such as scraping memory to retrieve Credit Card Data during its scan.
The Trojan adds the following files to the system:
%SystemRoot%system32WinHost.exe [Detected as GAV: Poseidon.AB (Trojan)]]
The Trojan adds the following keys to the Windows registry to ensure persistence upon reboot:
Poseidon retrieves all processes lists; one of the injected malicious code threads is responsible for scraping the memory of current processes on the infected machine for credit card information periodically.
The malware tries to Enumerate Credit Card Data from POS Software. To do this the attackers use API function calls such as:
Here is an example of scraping the memory by malware:
The file WinHost.exe registered as services on win32 subsystem, after next restart the malware uses an injected Svchost.exe to scraping the memory and after some time it deletes its own executable file.
The Malware tries to verify Credit Cards Numbers using the Luhn algorithm and then encrypted and sent to one of the given C&C Servers such as following domains:
The malwares sends data with following format:
Here is an example:
Command and Control (C&C) Traffic
Poseidon performs C&C communication over port 80. Requests are made on a regular basis to statically defined domains such as:
SonicWALL Gateway AntiVirus provides protection against this threat via the following signature: