March 1, 2016 By Larry Loeb 2 min read

Trend Micro has discovered a new variation of the FighterPOS malware, first reported in April 2015, that has worm capabilities. These new worm routines will let it spread from an infected point-of-sale (POS) terminal to others in the same network. This makes the malware more difficult to eradicate since reinfection will occur as long as at least one terminal is affected.

The new variant has been named Floki Intruder. Trend Micro also found a lightweight version of FighterPOS, called TSPY_POSFIGHT.F.

SecurityWeek reported, “Over 90 percent of infections still appear to be in Brazil, [and] the number of infections detected by the security firm in the U.S. now represents 6 percent of the total, up from 1 percent reported in April 2015.”

Similarities and Differences

Floki Intruder looks like the original FighterPOS in that it is based on the same vnLoader botnet client. Like the original, it disables the Windows firewall and removes the default Windows protection and User Account Control. It can also detect a security product through Windows Management Instrumentation (WMI).

Similar to previous variants of FighterPOS, Floki Intruder can be delivered via hijacked websites. It is also capable of receiving updates from its command-and-control (C&C) servers.

The lightweight FighterPOS does not use vnLoader, so the C&C communication is different; it only connects to the server to send credit card logs that its scraper has gathered. It also does not propagate as Floki does. It sends its contents every hour via HTTP POST with the combination of computername and username, separated by a dash, and all the contents of the log file.

Unlike what happens in FigherPOS or Floki Intruder, the lightweight malware protects its data by encrypting the log files. It does a byte-per-byte XOR against a Microsoft Office serial key. It also has to sanitize the data sent via HTTP POST. The encrypted string sent must be free of special and reserved characters or the sending will fail.

Dealing With FighterPOS

Although companies may have taken strides to protect themselves from POS malware, there are many fresh concerns with this revamped threat. Enterprises must establish positive security practices to remain safe.

“One of the best practices of protecting such terminals is to segregate their traffic and employ strict access controls, but strangely, the distribution and design of the threats we have discussed above seem to imply that their targets have bare Internet access,” Trend Micro noted. The source also recommended application white-listing.

The standard precautions for a commercial network would seem to be effective, as well. The unprotected Internet connections for POS machines that Trend Micro found are simply an invitation to disaster, and network security measures could help prevent issues.

More from

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Quishing: A growing threat hiding in plain sight

4 min read - Our mobile devices go everywhere we go, and we can use them for almost anything. For businesses, the accessibility of mobile devices has also made it easier to create more interactive ways to introduce new products and services while improving user experiences across different industries. Quick-response (QR) codes are a good example of this in action and help mobile devices quickly navigate to web pages or install new software by simply scanning an image.However, legitimate organizations aren’t the only ones…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today