March 1, 2016 By Larry Loeb 2 min read

Trend Micro has discovered a new variation of the FighterPOS malware, first reported in April 2015, that has worm capabilities. These new worm routines will let it spread from an infected point-of-sale (POS) terminal to others in the same network. This makes the malware more difficult to eradicate since reinfection will occur as long as at least one terminal is affected.

The new variant has been named Floki Intruder. Trend Micro also found a lightweight version of FighterPOS, called TSPY_POSFIGHT.F.

SecurityWeek reported, “Over 90 percent of infections still appear to be in Brazil, [and] the number of infections detected by the security firm in the U.S. now represents 6 percent of the total, up from 1 percent reported in April 2015.”

Similarities and Differences

Floki Intruder looks like the original FighterPOS in that it is based on the same vnLoader botnet client. Like the original, it disables the Windows firewall and removes the default Windows protection and User Account Control. It can also detect a security product through Windows Management Instrumentation (WMI).

Similar to previous variants of FighterPOS, Floki Intruder can be delivered via hijacked websites. It is also capable of receiving updates from its command-and-control (C&C) servers.

The lightweight FighterPOS does not use vnLoader, so the C&C communication is different; it only connects to the server to send credit card logs that its scraper has gathered. It also does not propagate as Floki does. It sends its contents every hour via HTTP POST with the combination of computername and username, separated by a dash, and all the contents of the log file.

Unlike what happens in FigherPOS or Floki Intruder, the lightweight malware protects its data by encrypting the log files. It does a byte-per-byte XOR against a Microsoft Office serial key. It also has to sanitize the data sent via HTTP POST. The encrypted string sent must be free of special and reserved characters or the sending will fail.

Dealing With FighterPOS

Although companies may have taken strides to protect themselves from POS malware, there are many fresh concerns with this revamped threat. Enterprises must establish positive security practices to remain safe.

“One of the best practices of protecting such terminals is to segregate their traffic and employ strict access controls, but strangely, the distribution and design of the threats we have discussed above seem to imply that their targets have bare Internet access,” Trend Micro noted. The source also recommended application white-listing.

The standard precautions for a commercial network would seem to be effective, as well. The unprotected Internet connections for POS machines that Trend Micro found are simply an invitation to disaster, and network security measures could help prevent issues.

More from

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today