NitlovePoS
NitlovePoS is a piece of malware that was discovered by malware researchers rather accidentally when they were observing a spam campaign used to distribute macro-laced office documents. It is not yet known if a popular hacking group is behind the spam campaign in question, but it would appear that they work with a broad range of threatening payloads that could be deployed using the macro-laced documents seen in the email messages. It would seem that the attackers have not opted to use more diverse email subjects and, instead, all of their messages are disguised as fake emails regarding job openings, internships and resumes – the files accompanying these messages were given names such as ‘CV_[RANDOM NUMBERS].doc’ or ‘My_Resume_[RANDOM NUMBERS].doc.’
When the recipients attempt to review one of these fake documents, they may see a notification, which warns them that the document is protected and they need to authorize Microsoft Office to ‘Enable Editing and ‘Enable Content’ – performing these actions would allow the compromised document to execute the hidden macro script.
The payload delivered via the macro script appears to be changed on a regular basis – the attackers use a version of the Pony stealer, as well as unknown malware found in files with names such as ‘dro.exe,’ ‘5dro.exe,’ ‘jews2.exe’ and others. The executable file that caught the attention of researchers is ‘pos.exe’ and, as they suspect, this turned out to be a piece of malware that targets point-of-sale devices – NitlovePoS.
If the NitlovePoS is deployed to the compromised system, it will begin the attack by dropping its files to the %TEMP% folder under the names ‘defrag.scr’ and ‘defrag.vbs.’ The purpose of the Visual Basic Script (VBS) file is to monitor the running processes continuously and see if ‘defrag.scr’ is running – if it detects that the latter process has been terminated, it will execute it again. Naturally, the NitlovePoS also ensures persistence by creating a Windows Registry key meant to execute the ‘defrag.vbs’ script.
When the NitlovePoS is active, it will monitor all running processes (apart from the ones categorized as system processes), and look for credit card data. The malware works as a memory scraper, and all the credit card data it extracts from the system memory will be transferred to a remote Command & Control server. Tracing the route of the extracted data revealed that the server is hosted on the IP address 146.185.221.31, which is situated in Russia – the attackers also use three Russian domains linked to this address.
PoS malware rarely contains any surprise in terms of functionality, and it is usually very easy for anti-virus software to identify and eradicate these threats before they manage to cause problems. Unfortunately, many businesses do not take the necessary computer security measures to protect their customers, and these are the exact situations where the NitlovePoS may end up causing significant financial loss.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.