POS Malware Uses Time-Stamp Check to Evade Detection

By on

This blog post was written by Kumaraguru Velmurugan.

Point of sale (POS) attacks appear to have gained in popularity during the past year or so. We have seen major retail chains targeted by different strains of POS malware. Equipped with memory-scraping functionality, POS malware steals credit or debit card information from shoppers who use their cards for payments.

The following illustration shows the similarity of a recent variant we have captured against previous samples we’ve seen. The code has undergone minimal changes since its inception.

blog_img9.jpg.png

Black POS malware is one of the most prevalent POS families in the wild. Recently we noticed new variants of Black POS that exhibit no behavior when executed in a synthetic environment. This inactivity in a sandbox promptly captured our attention. This new variant of Black POS checks the system time on the infected machine against the hardcoded time stamp on the executable. (Malware has long used this technique to be active only during certain periods, while remaining dormant the rest of the time.)

This variant of Black POS was compiled with Borland C++. Next we see one sample’s main function, in which time is checked against a preset value.

timestamp_check.jpg

Looking at the malware’s time stamp, Wed 14 Jan 2015 18:14:29 GMT, we see the malware is designed to exhibit its behavior for one month from the time it was compiled.

The key functions of this sample include memory dumping and enumerating modules loaded in process memory.

blog_img2.jpg

blog_img3.jpg

The sample also scans for credit card information in memory by employing a Perl Compatible Regular Expressions engine, as shown in the following image.

blog_img4.jpgblog_img5.jpg.pngblog_img6.jpg.png.jpg

McAfee Advanced Threat Defense detects the samples involved in this attack. The sample is detected via static code analysis, the Family Classification module.

 

 

Leave a Comment

Similar articles

Earlier this week, we revealed McAfee's Most Dangerous Celebrity of 2019 in the U.S., Alexis Bledel. Growing from a young actress in "Gilmore Girls" to Ofglen in "A Handmaid's Tale," Bledel’s rising stardom helps to explain why she topped this year's list. But, is that the case in other parts of the world as well? ...
Read Blog