A new breed of point-of-sale malware, called GamaPoS, is spreading across the United States and Canada through the Andromeda botnet. In a first for such threats, GamaPoS uses malware coded using the .NET framework.
GamaPoS, like many recent threats, scrapes off credit card data from point-of-sale systems,Trend Micro reported last week in its TrendLabs Security Intelligence blog. It has affected organizations in 13 U.S. states and one Canadian province: Arizona, California, Colorado, Florida, Georgia, Illinois, Kansas, Minnesota, Nevada, New York, South Carolina, Texas, Wisconsin and Vancouver, Canada.
"The GamaPoS threat uses a 'shotgun' or 'dynamite fishing' approach to get to targets, even unintended ones," Jay Yaneza, threats analyst, wrote in the blog. "This means that it launches a spam campaign to distribute Andromeda backdoors, infects systems with PoS malware, and hopes to catch target PoS systems out of sheer volume. Rough estimates show us that GamaPoS may have only hit 3.8% of those affected by Andromeda."
Retailers that accept Visa, Discover and Maestro, among other credit and debit cards, risk losing customer data to GamaPoS.
"The GamaPoS infection starts when victims access malicious emails that contain attachments such as macro-based malware or links to compromised websites hosting exploit kit content. This kind of modus operandi is similar to past Andromeda revivals," Yaneza said.
Once converted into Andromeda bots, the affected machines can be manipulated via a control panel that enable the cybercriminals to perform different commands. Attackers use copies of the tools Mimikatz and PsExec to gain control. However, it is only on certain instances that GamaPoS would be installed (see TrendLabs figure below).
PsExec and Mimikatz are popular tools in targeted attacks, Yaneza wrote. PsExec was used in the Target breach to kill processes and move files. "It is a legitimate whitelisted tool that attackers can use to remotely control and perform diagnostics on systems. On the other hand, Mimikatz is a publicly known tool, inserted in other tools, which attackers typically modify. It can be considered one of the best tools to gather credentials from a Windows system. Having both PsExec and Mimikatz in the GamaPoS infection chain enables attackers to laterally move inside target networks at a great degree," he said.
Andromeda is a well-known botnet (a network of computers infected with malicious software) that emerged around 2011. Cybercriminals use Andromeda for its wide reach, which allows them to control endpoints, effectively turning them into bots or zombies. The highly configurable and modular design of the Andromeda botnet can fit any malicious intent, like distributing ZeuS or, more recently, distributing a Lethic bot, Yaneza said.
Earlier this year, the Andromeda botnet was seen spreading macro-based malware, which is an old cybercriminal trick that has lately been regaining traction. "Based on our research, the past few months seem to be quite busy for the Andromeda botnet. Its recent activity reveals its heavy presence in the United States," he said.
Using an old botnet as a shotgun method to cast a wide net for targets has its merits, Yaneza said. By using spam and exploit kits to establish a large mass of bots, the hackers can steal information from specific targets, with some being sold to other threat actors.
This threat combines a classic botnet with a PoS RAM scraper, thus requiring more sophisticated methods of protection, Yaneza wrote. To deal with exploit kits and botnets like Andromeda, IT managers must be up to date on patches for vulnerabilities that can be exploited by these kits.
"To prevent threats from coming in via malicious emails, enforce strong security policies that work according to how your company uses email so as to prevent threats like macro-malware pass through. Effective spam filters that evaluate if attachments have malicious intent work best against these threats," Yaneza said.
POS crime pays, bad guys get 1,425% ROI
PCI updates P2PE standard, simplifies solution development
Retail threats surged during 'the year of the POS breach'
Backoff malware widespread, PCI Council issues call to action
Retailers still unprepared for security breaches-