PwnPOS
The PwnPOS malware is likely to have been active in the wild since 2013, but it managed to go unnoticed thanks to the basic, but effective anti-detection measures that its creators had implemented. This malware family consists of two components that cooperate in collecting information from an infected device. The first module, the memory scraper, reads the memory used by specific processes and looks for data that matches the one used by credit cards. If a match is found, PwnPOS will use the Luhn algorithm to verify that the match is indeed a valid card number, and then save it to a local file. The second component, used for data exfiltration, relies on the SMTP protocol to send the log file to the attacker's email address.
Two Components Power the PwnPOS Campaign
It is not clear what infection agent is used to deploy the PwnPOS to targeted devices. It is possible that the attackers might be relying on social engineering or fake downloads, but also, there is a possibility that PwnPOS might be used as a post-exploitation tool on systems that were compromised previously. Once PwnPOS is installed, it gains persistence by installing itself as a service called 'Windows Media Help.' The peculiar thing is that PwnPOS's executable accepts the '/del' argument that serves an important purpose – it deletes the service, but does not remove the primary payload. This may throw off some malware analysis tools and security features that look for suspicious auto-run entries or services.
PwnPOS Uses an Interesting Email Trick to Exfiltrate Data
The file used to store the logged data is called 'perf419.dat,' and it will be archived using the 7Zip utility prior to exfiltration. As mentioned earlier, PwnPOS' second component uses SMTP to exfiltrate the data to an email address. However, the attackers are using an interesting technique to achieve that. They appear to have misspelled the recipient's email on purpose by adding an extra character – '<censored>@gmail.coom.' This message will not go through, but the sender will receive a bounced message with the original message's contents. The sender's email is, of course, controlled by the attackers.
PwnPOS has been active all over the world, but some strings in the source code show that the authors might be of Russian origin. So far, samples of the malware were spotted in Japan, India, Australia, Germany, Romania, Canada and the United States. Unfortunately, malware families like PwnPOS tend to be very effective because many POS systems use outdated operating systems and software riddled with security vulnerabilities.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.