Cylance vs. LockPOS Malware

Background

LockPOS is a stealthy point of sale (POS) malware with a rich heritage. Greek mythology states that Athena, Goddess of War, sprang as a fully armed warrior from the head of Zeus. Likewise, in 2016, the POS malware called Flokibot emerged from the Zeus banking trojan and showcased a 40% increase in execution rates. LockPOS is an evolution of Flokibot, and current indicators suggest it is the most advanced iteration of the Zeus-family malware.

LockPOS Analyzed

Cylance Threat Research dissected LockPOS to see how this silent threat infiltrates systems without detection. The major innovation involves using API hashing when injecting itself into the Microsoft Windows® kernel. POS malware has long relied upon exploiting API calls, but LockPOS uses a method which renders itself undetectable to many antivirus (AV) programs.

Our testers have observed LockPOS using the following injection process:

  • The core payload of LockPOS is encrypted
  • LockPOS calls APIs to perform payload decryption
  • The APIs are called using API hashing which makes the activity difficult for AV to detect
  • The decrypted executable loads into memory
  • Once executed, the malware makes additional hashed API calls from ntdll.dll to inject itself into explorer.exe
  • The malware is injected from memory into the kernel space

Once injected, LockPOS attempts to communicate with a command and control (C2) server at bbbclearner[dot]at/_x/update[dot]php. This C2 server is not used by any previously discovered malware, though it contains a back-end panel similar to the treasurehunter[dot]at C2 server. Additionally, LockPOS queries several unregistered domains in a possible attempt to further cloak its activity or hide its actual C2 domain. A list of these false domains is found here, under the IOC – Domains heading.

Why is LockPOS Important and Why Should I Be Concerned?

LockPOS is designed to steal payment card information from point of (Read more...)

This is a Security Bloggers Network syndicated blog post authored by The Cylance Team. Read the original post at: Cylance Blog