Researchers have discovered a new version of the CenterPOS malware that is capable of scraping memory and finding credit card data in running processes on infected devices.
The malware is the latest iteration of CenterPOS, a family of point-of-sale malware that researchers have been tracking for several months. CenterPOS has been seen infecting PoS devices in a number of small and medium-sized businesses, mainly in the United States. It has a number of different capabilities and gives the attacker the ability to use an infected device to scan the rest of the network for credit card information.
The new version of CenterPOS uses a configuration file to store the command-and-control information for the malware, which is also known as Cerebrus, according to researchers at FireEye who analyzed it. Once it’s executed on a new device, Cerebrus can run either in normal scan mode or smart scan mode. In normal mode, the malware will look at all of the processes on a device and look for ones that are not the current running process, aren’t named “system”, “system idle process” or “idle”, or doesn’t contain keywords such as “microsoft” or “mozilla”.
PoS malware has become a serious threat for retailers and the banks that do business with them.
“If the process meets the criteria list, the malware will search all memory regions within the process searching for credit card data with regular expressions in the regular expression list,” the FireEye analysis says.
“In ‘smart scan’ mode, the malware starts by performing a ‘normal scan.’ Any process that has a regular expression match will be added to the “smart scan” list. After the first pass, the malware will only search the processes that are in the ‘smart scan’ list.”
CenterPOS looks for credit card information on the infected device, and whatever it finds is encrypted using the ancient TripleDES algorithm and sent off to the C&C server. The malware can respond to a number of commands, including orders to restart or uninstall itself, and the attacker controlling the malware can change a number of variables remotely, such as the number of processes to scan and the values of blacklisted processes.
PoS malware has become a serious threat for retailers and the banks that do business with them. The most infamous PoS malware attack was the one that resulted in the Target data breach in 2013, and since then memory scraping PoS malware has been found in a number of other data-breach investigations, as well. Point-of-sale terminals are prime targets for attackers both because of their value in the middle of financial transactions and because they typically are not well-defended.
Image from Flickr stream of Kool Cats Photography.