A once-dormant command-and-control server for Flokibot has woken up and begun to distribute a new point-of-sale (PoS) malware family.
The new threat, which researchers at Arbor Networks call “LockPoS,” uses run keys in the Windows Registry to achieve persistence before communicating with its command-and-control server over HTTP.
POST data exchanged with that server consists of “data chunks” pertaining to the infected machine. The malware can then use return data sent over in a C2 response to update its configuration or inject an executable file into explorer.exe, among other functions.
As for its ability to steal credit card information, LockPoS isn’t exactly ground-breaking. Dennis Schwarz of Arbor Networks explains:
“The malware’s PoS credit card stealing functionality works similarly to other PoS malware: it scans the memory of other running programs looking for data that matches what credit card track data looks like.”
But what is unusual is that LockPoS shares command-and-control infrastructure with Flokibot.
Perhaps the criminals responsible for Flokibot created LockPoS in an attempt to diversify their portfolio of threats. And if that association weren’t enough, Flokibot and LockPoS’s shared command-and-control server (treasurehunter[dot]at) bears the same name as TREASUREHUNT, a separate PoS malware family seemingly designed for a specific “dump shop” of credit card information.
PoS malware gangs are always developing new strains to target businesses’ point-of-sale terminals. To counter this persistent threat, companies need to regularly patch their electronic tills and monitor their systems for anomalous activity.