AbaddonPOS Malware Tied To Vawtrak Hits Retailers' POS Systems As Holiday Shopping Season Nears

Cybersecurity experts warn that two kinds of POS malware that roamed undetected during the last years might cause serious losses to buyers during the upcoming holiday shopping season.

The coming festive break is one of the best times of the year for hackers to make their move, as customers seldom keep tight track of all their holiday expenses.

When talking about credit card theft, the most recent "evolution" in stealthy POS exploitation comes from the AbaddonPOS and Cherry Picker malware. Analysts detected and reported their existence during the last week.

The older one is Cherry Picker, which seems to have started running malicious actions as early as 2011. Back then, it targeted retail stores, but digital security engineers say it has now evolved. Cherry Picker now features improved card ripping capability, persistence mechanisms and anti-analysis decoys.

Eric Merritt, a security researcher at Trustwave, points out that the malware deceitfully erases evidence of its own existence after completing its vile work. The malware goes undetected because it overwrites files over and over again, and it removes the data exfiltration locations from logs.

Merritt adds that Cherry Picker also draws little attention to itself "by focusing on one process that is known to contain card data as opposed to targeting all processes."

The infamous malware mostly affects computers sporting Windows 7 and Windows XP, on which it runs remote admin services. The final victims of the cybertheft are food industry clients who use POSs for their purchases.

Experts from Proofpoint blew the whistle concerning the AbaddonPOS malware and decribed its workings in detail.

"Point of sale (PoS) malware has been implicated in some of the biggest recent data breaches, striking retailers, restaurants, hospitality and organizations from a variety of industries, and often targeting consumers in the United States," the security company says.

AbaddonPOS was detected on seven client networks that were scrutinized for bugs in the aftermath of a Vawtrak infection.

"On Oct. 8, Proofpoint researchers observed Vawtrak downloading TinyLoader ... which then downloaded AbaddonPOS," Proofpoint points out. The security firm adds that it is has become common to see malware that increases the number of cybervictims by using multiple payloads.

What is more, weaponized Microsoft Office documents can lead to downloading TinyLoader, ending in the device being infected by AbaddonPOS.

Proofpoint warns that although the presented techniques of POS infection are only used by a select few attackers, the holiday shopping spree might lead to an increased number of vulnerabilities in the retail sector.

With a blooming deployment of EMV credit card technologies, POS malware danger is prone to increase in the United States.

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics