Darknet markets have been found selling LusyPOS, a new type of point-of-sale malware which is similar in nature to other RAM scrapers utilized in some of the highest profile data breaches of 2014.
Similar malware was used in the Target breach last year which saw the compromise of 40 million payment cards, 70 million records and hundreds of millions of dollars in associated costs.
More recently, the Home Depot breach saw the compromise of 56 million cards as well as 53 million email addresses in a similar attack. The company faces multiple lawsuits in the US and Canada as a result.
Would-be cybercriminals, and just about anyone else with $2,000 in their back pocket, can pick the malware up from underground carding websites today, no questions asked.
LusyPOS, which at 4MB is bigger than other variants, was uncovered by CTBS reverse engineers earlier this month. Nick Hoffman and Jeremy Humble analyzed “lusypos.exe” after it appeared on VirusTotal and learned that it had many similarities with two other notorious POS malware families – Chewbacca and Dexter.
The pair noted that the new variant’s code contained strings for command and control, whitelist processing and registry key persistence that suggest it “may have taken a cue from dexter.” It was also noted that it’s RAM scraping code is similar to that found in other similar malware and the method of verifying that the scraped data is valid credit card track information (the Luhn algorithm, the standard means of verifying credit card numbers).
Like Chewbacca, LusyPOS also uses the TOR network which offers the promise of anonymity to the controllers who can use it to access information via a remote server.
Technically speaking, there is no good reason for a POS machine to talk to TOR, and nor should it be allowed to. In terms of Payment Card Industry Data Security Standard (PCI DSS) compliance, such communication should be expressly prohibited with Hoffman saying “most PCI audits will attempt to lock this sort of activity down but there seem to be devils in the implementation that allow malware like this to be successful”. Therefore such activity is a good means of detecting the presence of POS malware on a system – if suspicious domain names, such as those with a .onion TLD, are spotted they should be blocked immediately.
When LusyPOS was initially submitted to VirusTotal on 30 November it was only detected by 7 of its 55 AV engines (and two of those flagged it only because of its use of TOR). Now, two weeks later, it is still only detected by 27 of them.
Hoffman and humble concluded that “This is just a scratch in the surface of a new malware family. We’ll be curious to watch it evolve over the next couple years and track its progress”.