Trend Micro has discovered a new variation of the FighterPOS malware, first reported in April 2015, that has worm capabilities. These new worm routines will let it spread from an infected point-of-sale (POS) terminal to others in the same network. This makes the malware more difficult to eradicate since reinfection will occur as long as at least one terminal is affected.
The new variant has been named Floki Intruder. Trend Micro also found a lightweight version of FighterPOS, called TSPY_POSFIGHT.F.
SecurityWeek reported, “Over 90 percent of infections still appear to be in Brazil, [and] the number of infections detected by the security firm in the U.S. now represents 6 percent of the total, up from 1 percent reported in April 2015.”
Similarities and Differences
Floki Intruder looks like the original FighterPOS in that it is based on the same vnLoader botnet client. Like the original, it disables the Windows firewall and removes the default Windows protection and User Account Control. It can also detect a security product through Windows Management Instrumentation (WMI).
Similar to previous variants of FighterPOS, Floki Intruder can be delivered via hijacked websites. It is also capable of receiving updates from its command-and-control (C&C) servers.
The lightweight FighterPOS does not use vnLoader, so the C&C communication is different; it only connects to the server to send credit card logs that its scraper has gathered. It also does not propagate as Floki does. It sends its contents every hour via HTTP POST with the combination of computername and username, separated by a dash, and all the contents of the log file.
Unlike what happens in FigherPOS or Floki Intruder, the lightweight malware protects its data by encrypting the log files. It does a byte-per-byte XOR against a Microsoft Office serial key. It also has to sanitize the data sent via HTTP POST. The encrypted string sent must be free of special and reserved characters or the sending will fail.
Dealing With FighterPOS
Although companies may have taken strides to protect themselves from POS malware, there are many fresh concerns with this revamped threat. Enterprises must establish positive security practices to remain safe.
“One of the best practices of protecting such terminals is to segregate their traffic and employ strict access controls, but strangely, the distribution and design of the threats we have discussed above seem to imply that their targets have bare Internet access,” Trend Micro noted. The source also recommended application white-listing.
The standard precautions for a commercial network would seem to be effective, as well. The unprotected Internet connections for POS machines that Trend Micro found are simply an invitation to disaster, and network security measures could help prevent issues.
Principal, PBC Enterprises