Threat Spotlight: LockPOS Point of Sale Malware

LockPOS is a point-of-sale malware discovered in 2017 that is used to exfiltrate payment card data from targeted point-of-sale systems’ memory. The most recent version of LockPOS examined here changed its injection technique to drop the malware directly to the kernel to evade detection and bypass traditional antivirus (AV) hooks.

This evasion technique has been seen before being employed by a similar malware (Flokibot POS Malware). In addition to the injection technique, this new malware variant is also communicating with a new command-and-control (C2) server that hasn’t been seen before.

The following a technical overview of this new technique used by LockPOS:

File Information

SHA256:1436577b2b111fe299a1321e00543d0e8d49d827abde651faea7403e4bb38644
Type: Win32 EXE
Size: 140,288 bytes
Timestamp: 11/18/2017 12:40:26 PM
ITW names: 1e490056bdb537f9492bc72a365537f0.virobj 1e490056bdb537f9492bc72a365537f0

Technical Analysis

The malware has a core resource section that is encrypted:

Figure 1

When it runs, it begins making API calls that are used to decrypt itself, and the APIs are obfuscated using API hashing:

Figure 2

The decrypted executable with a debugging string shown below is then loaded to memory for execution:

Figure 3

When executed, the malware uses API calls from ntdll.dll to inject itself into explorer.exe as a persistence mechanism. The API calls are still made using the API hashing, a method that is new for LockPOS which allows the malware to avoid traditional AV detection by injecting the code on-the-fly within memory:

Figure 4

The injected code will then try to connect to the C2 server at the following address:

bbbclearner[dot]at/_x/update[dot]php

This is a new C2 server that has never been seen in malware campaigns prior. The C2 server also has what seems to be a back-end panel that is similar to the one seen before with the treasurehunter[dot]at C2 server.

Figure 5

In addition to the abovementioned C2 server, (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Cylance Threat Guidance Team. Read the original post at: Cylance Blog