Rewterz Threat Alert – TinyPOS Attack Combines New Techniques for Card Scraping

Severity

Medium

Analysis Summary

The researchers has analyzed a piece of malware being used to scrape credit card information at the Point-of-Sale (PoS). Using a previously leveraged malware family and living off the land techniques, the threat group has managed to compromise several PoS terminals. The malware uses PsExec and compromised credentials to implant a pair of files to three separate PoS systems. A PowerShell script is saved as a batch file and an image file. Several pairs, in differing combination, have been discovered. Although the pairs and specific tools and techniques employed differ, the basic functionality is the same. The image file’s contents are loaded into memory by the batch file. The script injects the image file data into its own process. Raw shell code is appended to the PNG file in order to gain access. The shell code is a variant of the TinyPOS family. A file is created in order to store the scraped credit card data. The file is then uploaded to a C2 server in an encoded format. 

Impact

Data Disclosure

Indicators of Compromise

MD5

• 9e56cd1c62a11b3f6f789da56cfe581d
• 2146d62b2be5b4ec04cd297c4e3094d1

SHA-256

• 15712752daf007ea0db799a318412478c5a3a315a22932655c38ac6485f8ed00
• e48af0380d51eff554d56aabeeb5087bba37fa8fb02af1ccd155bb8b5079edae

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.