New Modifications of POS Malware

London, UK – July 11, 2017 – The last two weeks the world’s attention has been drawn to NotPetya / GoldenEye APT attack. That’s why some other attacks attract less attention than they deserve. Researchers from the Securelist reported a new modification of Neutrino for POS terminals. This POS malware does not activate immediately, but takes a long ‘sleep’ for a random amount of time to bypass AV sandboxes; then it sends a POST request to the control server to verify its functionality and receive further commands. Neutrino is able to bypass firewalls and Windows Defender, and not all AV tools can detect its new modification. The main purpose of this POS malware is to scan the memory, find credit card data and transfer it to the control server. Attacks on POS terminals are quite frequent, and tools for such attacks are rapidly evolving. A modification of the PoSeidon / FindPOS malware was used in a recent attack on Avanti Markets. This attack is notable for the fact that biometric data of users may have been stolen, as the company reported. The functionality of such viruses allows them to find and transmit any data found, but so far there is no evidence that any biometric data was compromissed.

Companies that work with biometric data especcialy need to increase their security, since a compromised credit card can be re-issued, but biometric data is for life. You can find several SIEM use cases in the S.M.A. cloud that will help your SIEM tool to detect such attacks. The APT Framework is designed to constantly monitor the company’s infrastructure and to alert you to suspicious activity and signs of attack. Netflow Security Monitor use case enables real-time traffic profiling and automatic emails notifications on deviations.