AbaddonPOS
A few years ago, Point-of-Sale devices were often considered to be impenetrable by cybercriminals, because finding an infection vector and staying undetected was a very challenging task mainly. However, hackers decided to explore the opportunity to infect Point-of-Sale (PoS) devices eventually, and the results were not late – malware researchers have had to combat a plethora of malware that targets PoS devices exclusively, and attempts to snatch the credit card details processed through them. While this does not harm the business owning the PoS device, an attack of this sort may end up costing customers thousands of dollars.
One of the malware families to infect a large number of PoS devices located in the United States goes by the name AbaddonPOS – a hacking tool believed to be used by the TA530 group, which is usually involved in financially motivated attacks.
The campaign to spread the AbaddonPOS appears to evolve regularly, and the attackers have been spotted using fraudulent email attachments, exploit kits, and Trojan downloaders to propagate copies of the AbaddonPOS to potential targets. Once the threat manages to infiltrate a system, it will begin to observe specific processes that are known to be used by Point-of-Sale device software immediately. Naturally, to minimize the amount of work it has to do, the AbaddonPOS will only look for specific number strings that are likely to contain credit card holder data:
- Only looks for number strings starting with 3, 4, 5 or 6.
- Only looks for numbers with a length greater than or equal to 13, and lesser than or equal to 19.
- Uses the Luhn algorithm to verify that the extracted data does contain a valid credit card number
The collected data is encoded using a hardcoded XOR cipher and then transferred to the attacker’s server whose IP address is also hardcoded in the AbaddonPOS sample analyzed.
Last but not least, the AbaddonPOS malware is loaded with anti-obfuscation checks and techniques that are meant to make the job of malware researchers more difficult. Thankfully, the cybercriminals did not do enough to stop experts from dissecting every single byte of their threat, and this has enabled anti-virus products to identify and eradicate the AbaddonPOS easily.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.