ScanPOS

Posted: November 17, 2016

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	10/10
Infected PCs:	126

First Seen:	November 17, 2016
Last Seen:	August 1, 2021
OS(es) Affected:	Windows

ScanPOS is a PoS Trojan that infects Point-of-Sale machines and collects credit card information. Other threats may distribute ScanPOS, including banking Trojans that have additional capabilities associated with pilfering financial or account-related data. With this threat showing no symptoms, businesses should strive to avoid known infection vectors and use anti-malware products for uninstalling ScanPOS.

The Thief Picking Your Memory's Pockets

Although they are by no means the most popular category of threatening software, card-scrapper style Trojans are a persistent facet of the industry, much like credit cards are for legitimate financial activities. A brand-new Trojan from this category, ScanPOS (dubbed by cyber security company Morphick for one of its compilation strings), offers a close look at how simplicity can be to the benefit of these sometimes over-designed Trojans. It provides all of the essential features of a PoS Trojan, but also evades most current detection standards.

The ScanPOS campaign uses other threats, such as the Kronos banking Trojan, to install ScanPOS. The original infection routes lead back to North American and European e-mail campaigns that distribute documents regarding employee terminations, with the attachments harboring macro-based exploits. After opening the document, assuming that no other working security measures are in place and that macros are enabled, both Kronos and the rest of its payload, including ScanPOS, drop onto the system. Kronos includes semi-flexible threat-downloading capabilities, and malware experts sometimes find additional Trojans alongside ScanPOS.

ScanPOS uses a constant, memory-checking code loop to scan for any data associated with credit or debit cards. The function staggers itself with periodic intervals of hibernation and eschews system processes, guaranteeing that ScanPOS only looks in places where the targeted information might reside. An HTTP POST command to a corrupted domain transfers all of ScanPOS's collected information over the network.

Scanning Your Options for Preventing Holiday Theft

Malware analysts rate ScanPOS as a surprisingly simple Trojan that doesn't use many code-obfuscation or compression techniques. However, that simplicity, along with ScanPOS being a wholly original Trojan not from a preexisting family, has helped it attain extremely low detection rates. Arguably, the possible presence of Kronos in an average ScanPOS infection is an even greater threat, thanks to its capacity for dropping more Trojans besides the card-scrapper program.

ScanPOS acts to compromise financial information immediately and persistently, which makes a fast reaction to its presence highly necessary. Employees should be reminded to avoid opening e-mail messages from suspicious sources, especially documents that can embed exploits in their text. Updated anti-malware products should be able to detect Kronos or the Trojan dropper with less difficulty than the relatively unknown ScanPOS, although removing ScanPOS still should be left to anti-malware software, when possible.

Even for a Trojan builder, 'less is more' sometimes is an apt saying, and one shouldn't forget that complexity isn't equal to danger level in Trojans like ScanPOS.

ScanPOS

Threat Metric

The Thief Picking Your Memory's Pockets

Scanning Your Options for Preventing Holiday Theft

Leave a Reply