LockPos, the new point-of-sale malware being distributed by a once-dormant command and control server

Criminal gang's malware threatens to steal credit card information from poisoned payment terminals.

New PoS malware family distributed by once-dormant Flokibot C2 server

A once-dormant command-and-control server for Flokibot has woken up and begun to distribute a new point-of-sale (PoS) malware family.

The new threat, which researchers at Arbor Networks call “LockPoS,” uses run keys in the Windows Registry to achieve persistence before communicating with its command-and-control server over HTTP.

POST data exchanged with that server consists of “data chunks” pertaining to the infected machine. The malware can then use return data sent over in a C2 response to update its configuration or inject an executable file into explorer.exe, among other functions.

Config 768x189

Initial configuration for LockPoS (Source: Arbor Networks)

As for its ability to steal credit card information, LockPoS isn’t exactly ground-breaking. Dennis Schwarz of Arbor Networks explains:

The malware’s PoS credit card stealing functionality works similarly to other PoS malware: it scans the memory of other running programs looking for data that matches what credit card track data looks like.”

Exfil 768x325

An example credit card exfiltration by LockPoS. (Source: Arbor Networks)

But what is unusual is that LockPoS shares command-and-control infrastructure with Flokibot.

Perhaps the criminals responsible for Flokibot created LockPoS in an attempt to diversify their portfolio of threats. And if that association weren’t enough, Flokibot and LockPoS’s shared command-and-control server (treasurehunter[dot]at) bears the same name as TREASUREHUNT, a separate PoS malware family seemingly designed for a specific “dump shop” of credit card information.

Control server

PoS malware gangs are always developing new strains to target businesses’ point-of-sale terminals. To counter this persistent threat, companies need to regularly patch their electronic tills and monitor their systems for anomalous activity.

Tags: , ,

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, ,

No comments yet.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.