CenterPOS Malware

CenterPOS (also known as "Cerebrus") is Point of Sale (POS) malware that was discovered by FireEye experts.[1] It was discovered in September 2015 along with other POS malware such as NewPOSThings, BlackPOS and Alina.[2] There are two variants which have been released by the cybercriminal such as version 1.7 and version 2.0.[3] CenterPOS 2.0 has similar functionality to CenterPOS version 1.7. The 2.0 variant of CenterPOS malware added dangerous features i.e. it creates a configuration file for storing information in its command and control server.[4]

Introduction

CenterPOS malware has been used to target retailers in order to steal payment card information. The malware is known to contain a memory scraper that works to extract payment card information.[5] It uses two modes to scrape and store information: "smart scan" and "normal scan" mode.[6] In normal scan mode, the malware will look at all of the processes on a device and determine the ones that are not the current running process, are not named "system", "system idle process", "idle", or does not contain keywords such as microsoft or mozilla. If the process meets the criteria list, the malware will search all memory regions within the process searching for credit card data with regular expressions in the regular expression list. In smart scan mode, the malware starts by performing a normal scan. Any process that has a regular expression match will be added to the smart scan list. After the first pass, the malware will only search the processes that are in the smart scan list. The malware contains functionality that allows cybercriminals to create a configuration file.[7]

Process of CenterPOS malware

Firstly, it searches for the configuration file that contains the C&C information. If not, it asks for a password. If the password entered is correct, then it payloads the functions to create a configuration file.[8] This malware is very different from other point of sale system malware that has a separate component called builder to create a payload.[9]

The CenterPOS malware looks for the credit and debit card information through smart scan mode and then encrypts all the scraped data using TripleDES encryption.[10] Then the memory scraped data is sent to the operator of the malware through a separate HTTP POST request.[11]

See also

References

  1. CenterPOS. "CenterPoS POS Malware Variant". Cyber.nj.gov. Retrieved 2016-10-02.
  2. "Security Experts at FireEye discovered a new strain of POS malware dubbed CenterPOS that is threatening the retail systems". Securityaffairs.co. 2016-01-29. Retrieved 2016-10-02.
  3. "Centerpos: An Evolving Pos Threat". Fireeye.com. 2016-01-28. Retrieved 2016-10-02.
  4. "CenterPOS – The evolution of POS malware". Iicybersecurity.wordpress.com. 2016-01-29. Retrieved 2016-10-02.
  5. Numaan Huq (2013-07-16). "A look at Point of Sale RAM scraper malware and how it works". Nakedsecurity.sophos.com. Retrieved 2016-10-02.
  6. "CenterPOS: An Evolving POS Threat". Securitybloggersnetwork.com. Retrieved 2016-10-02.
  7. "Two New PoS Malware Affecting US SMBs". TrendLabs. 2015-09-28. Retrieved 2016-10-09.
  8. "New Version Of CenterPOS Malware Taps Rush To Attack Retail Systems". Darkreading.com. Retrieved 2016-10-02.
  9. "Two new point-of-sale threats target SMBs in the U.S". Scmagazine.com. 2013-10-31. Retrieved 2016-10-02.
  10. "New Version of CenterPOS Malware Emerges". Onthewire.io. 2016-01-28. Retrieved 2016-10-02.
  11. "Security Experts at FireEye discovered a new strain of POS malware dubbed CenterPOS that is threatening the retail systems". Securityaffairs.co. 2016-01-29. Retrieved 2016-10-02.

External links


This article is issued from Wikipedia - version of the 12/4/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.