CenterPOS Malware

Last updated

CenterPOS (also known as "Cerebrus") is a point of sale (POS) malware discovered Cyber Security Experts. [1] It was discovered in September 2015 along with other kinds of POS malware, such as NewPOSThings, BlackPOS, and Alina. [2] There are two versions which have been released by the developer responsible: version 1.7 and version 2.0. [3] CenterPOS 2.0 has similar functionality to CenterPOS version 1.7. The 2.0 variant of CenterPOS malware added some more effective features, such as the addition of a configuration file for storing information in its command and control server. [4]

Contents

Overview

CenterPOS has been used to target retailers in order to illegally obtain payment card information using a memory scraper. [5] It uses two distinct modes to scrape and store information: a "smart scan" and a "normal scan". [6] At the normal scan mode, the malware looks at all of the processes on a device and determines which ones are not currently running processes, are not named "system", "system idle process" or "idle", and do not contain keywords such as Microsoft or Mozilla. If the process meets the criteria list, the malware will search all memory regions within the process, searching for credit card data with regular expressions in the regular expression list. In smart scan mode, the malware starts by performing a normal scan, and any process that has a regular expression match will be added to the smart scan list. After the first pass, the malware will only search the processes that are in the smart scan list. The malware contains functionality that allows cybercriminals to create a configuration file. [7]

Process Details

CenterPOS malware searches for the configuration file that contains the C&C information. If unable to find the configuration file, it asks for a password. If the password entered is correct, then it payloads the functions to create a configuration file. [8] This malware is very different from other point of sale system malware in that it has a separate component called builder to create a payload. [9]

The CenterPOS malware looks for the credit and debit card information through smart scan mode and then encrypts all the scraped data using Triple DES encryption. [10] Then the memory scraped data is sent to the operator of the malware through a separate HTTP POST request. [2]

See also

Related Research Articles

Point of sale Time and place where a retail transaction is completed

The point of sale (POS) or point of purchase (POP) is the time and place where a retail transaction is completed. At the point of sale, the merchant calculates the amount owed by the customer, indicates that amount, may prepare an invoice for the customer, and indicates the options for the customer to make payment. It is also the point at which a customer makes a payment to the merchant in exchange for goods or after provision of a service. After receiving payment, the merchant may issue a receipt for the transaction, which is usually printed but can also be dispensed with or sent electronically.

The Encrypting File System (EFS) on Microsoft Windows is a feature introduced in version 3.0 of NTFS that provides filesystem-level encryption. The technology enables files to be transparently encrypted to protect confidential data from attackers with physical access to the computer.

Internet security Branch of computer security specifically related to Internet, often involving browser security and the World Wide Web

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

Sality is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Sality was first discovered in 2003 and has advanced over the years to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet for the purpose of relaying spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks for the purpose of processing intensive tasks. Since 2010, certain variants of Sality have also incorporated the use of rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered to be one of the most complex and formidable forms of malware to date.

ShopKeep

ShopKeep by Lightspeed is a cloud-based iPad point of sale (POS) system headquartered in New York, NY. Founded in 2008, its POS system is used by more than 23,000 small businesses in the United States and Canada, most of which are retail shops, coffee shops, restaurants, and bars. The system allows merchants to ring up sales, print or email receipts, pop a cash drawer, accept credit cards and print remotely to the kitchen right from an iPad or Android tablet. The web-based BackOffice allows inventory, employee, and customer management, and analytics and reporting. The smartphone dashboard app allows merchants to view real-time store sales remotely.

Dexter is a computer virus or point of sale malware which infects computers running Microsoft Windows and was discovered by IT security firm Seculert, in December 2012. It infects PoS systems worldwide and steals sensitive information such as Credit Card and Debit Card information.

Seculert Israeli cloud-based cyber security technology

Seculert is a cloud-based cyber security technology company based in Israel. The company's technology is designed to detect breaches and Advanced Persistent Threats (APTs), attacking networks. Seculert's business is based on malware research and the ability to uncover malware that has gone undetected by other traditional measures.

Memory-scraping malware or RAM Scrapping malware is a malware that scans the memory of digital devices, notably point-of-sale (POS) systems, to collect sensitive personal information, such as credit card numbers and personal identification numbers (PIN) for the purpose of exploitation.

Backoff is a kind of malware that targets point of sale (POS) systems. It is used to steal credit card data from point of sale machines at retail stores. Cybercriminals use Backoff to gather data from credit cards. It is installed via remote desktop type applications where POS systems are configured. It belongs to the POS malware family as it is known to scrape the memory of POS devices.

Point-of-sale malware

Point-of-sale malware is usually a type of malicious software (malware) that is used by cybercriminals to target point of sale (POS) and payment terminals with the intent to obtain credit card and debit card information, a card's track 1 or track 2 data and even the CVV code, by various man-in-the-middle attacks, that is the interception of the processing at the retail checkout point of sale system. The simplest, or most evasive, approach is RAM-scraping, accessing the system's memory and exporting the copied information via a remote access trojan (RAT) as this minimizes any software or hardware tampering, potentially leaving no footprints. POS attacks may also include the use of various bits of hardware: dongles, trojan card readers, (wireless) data transmitters and receivers. Being at the gateway of transactions, POS malware enables hackers to process and steal thousands, even millions, of transaction payment data, depending upon the target, the number of devices affected, and how long the attack goes undetected. This is done before or outside of the card information being (usually) encrypted and sent to the payment processor for authorization.

BlackPOS or Interprocess communication hook malware is a type of point-of-sale malware or spyware program which was specifically designed to be installed in a point of sale (POS) system to scrape data from debit and credit cards. This is very different from the normal memory-scraping malware that scrapes all the data and needs filters to extract the target data. This specifically hooks into the track information, thus it is called an interprocess communication hook. Once this malware gets installed it looks for the pos.exe file in the system and parses the content of the track 1 and track 2 financial card data. The encoded data is then moved to a second machine through SMB. BlackPOS was used in the Target Corporation data breach of 2013.

Alina is a Point of Sale Malware or POS RAM Scraper that is used by cybercriminals to scrape credit card and debit card information from the point of sale system. It first started to scrape information in late 2012. It resembles JackPOS Malware.

FastPOS is a variant of POS malware discovered by Trend Micro researchers. The new POS malware foregrounds on how speed the credit card data is stolen and sent back to the hackers.

PunkeyPOS is a new type of Point of Sale Malware which was recently discovered by PandaLabs. This new Point of Sale Malware infects the Point of Sale(POS) Systems with two types of malware applications - keylogger and RAM Scraper. PunkeyPOS gets installed into the computer automatically without the knowledge of the user, in a similar manner as other POS malware.

A new sophisticated point-of-sale or memory-scraping malware called "Multigrain" was discovered on April 17, 2016 by the FireEye Inc. security company. Multigrain malware comes under the family of NewposThings Malware. This malware is similar to the NewposThings, FrameworkPOS and BernhardPOS malware which were known previously as notorious malware.

Malumpos is a point of sale malware that are designed to steal or scrape customer’s credit and debit card detail from point of sale system. These are designed in a way that it records point of sale’s data which is running in an Oracle MICROS payment system of the restaurant. The collected data has been used in 333,000 customer sites around the world. Malumpos Malware targets hotels and other US businesses and put the retail customers at risk. This POS RAM Scraper is written in the Delphi programming language. Malumpos monitors, processes, scrapes the stolen data of the infected POS system and the RAM. First it stores the stolen credit or debit card details of the customer from the infected point of sale system once it is swiped. Then it sends the data to the cybercriminal to empty the customer bank balance or the details are sold to the black market.

Mirai is a malware that turns networked devices running Linux into remotely controlled bots that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers. The Mirai botnet was first found in August 2016 by MalwareMustDie, a white hat malware research group, and has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs' web site, an attack on French web host OVH, and the October 2016 Dyn cyberattack. According to a chat log between Anna-senpai and Robert Coelho, Mirai was named after the 2011 TV anime series Mirai Nikki.

Kasidet POS Malware is a variant of Point of Sale (POS) Malware that performs DDoS attacks using Namecoin's Dot-Bit service to scrape payment card details. It is also known as Trojan.MWZLesson or Neutrino and was found in September 2015 by cyber security experts. It is a combination of BackDoor.Neutrino.50 and the POS malware.

Brambul is an SMB protocol computer worm that decrypts and automatically moves from one computer to its second computer.

Internet security awareness Knowledge of end users about the cyber security threats and the risks their actions may introduce

Internet security awareness or Cyber security awareness refers to how much end-users know about the cyber security threats their networks face, the risks they introduce and mitigating security best practices to guide their behavior. End users are considered the weakest link and the primary vulnerability within a network. Since end-users are a major vulnerability, technical means to improve security are not enough. Organizations could also seek to reduce the risk of the human element. This could be accomplished by providing security best practice guidance for end users' awareness of cyber security. Employees could be taught about common threats and how to avoid or mitigate them.

References

  1. CenterPOS. "CenterPoS POS Malware Variant". Cyber.nj.gov. Retrieved 2016-10-02.
  2. 1 2 "Security Experts at FireEye discovered a new strain of POS malware dubbed CenterPOS that is threatening the retail systems". Securityaffairs.co. 2016-01-29. Retrieved 2016-10-02.
  3. "Centerpos: An Evolving Pos Threat". Fireeye.com. 2016-01-28. Retrieved 2016-10-02.
  4. "CenterPOS – The evolution of POS malware". Iicybersecurity.wordpress.com. 2016-01-29. Retrieved 2016-10-02.
  5. Numaan Huq (2013-07-16). "A look at Point of Sale RAM scraper malware and how it works". Nakedsecurity.sophos.com. Retrieved 2016-10-02.
  6. "CenterPOS: An Evolving POS Threat". Securitybloggersnetwork.com. Archived from the original on 2017-01-09. Retrieved 2016-10-02.
  7. "Two New PoS Malware Affecting US SMBs". TrendLabs. 2015-09-28. Retrieved 2016-10-09.
  8. "New Version Of CenterPOS Malware Taps Rush To Attack Retail Systems". Darkreading.com. 28 January 2016. Retrieved 2016-10-02.
  9. "Two new point-of-sale threats target SMBs in the U.S". Scmagazine.com. 2013-10-31. Retrieved 2016-10-02.
  10. "New Version of CenterPOS Malware Emerges". Onthewire.io. 2016-01-28. Retrieved 2016-10-02.