Security News

NewPosThings.C a 64-Bit variant of POS malware released in the wild.

By

The Dell Sonicwall Threats Research team observed reports of a 64-Bit variant of POS bot family named GAV: NewPosThings.C. This is a new variant of the NewPoSThings malware known for targeting payment processing systems has been released in the wild. This time the threat is directed at 64-bit machines with high version numbers.

Infection Cycle:

Md5: 4196c67648003a18f61573a77b6d3be6

The Trojan adds the following files to the system:

  • %Userprofile%Application DataJavaJavaUpdate.exe

  • %Userprofile%Application DataJavaDLLx64.dll

The Trojan adds the following keys to the Windows registry to ensure persistence upon reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

    • %Userprofile%Application DataJavaJavaUpdate.exe

NewPosThings retrieves all processes lists; JavaUpdate.exe responsible for scraping the memory of current processes on the infected machine for credit card information periodically.

The Trojan has an exclusion list that functions to ignore certain system processes; it gathers track data by scanning the memory of the all running processes except for the following List:

The malware searches the registry for VNC passwords. The following keys and values are checked:

  • HKLMSOFTWARERealVNCvncserver[Password]

  • HKLMSOFTWARERealVNCWinVNC4[Password]

  • HKCUSOFTWARERealVNCWinVNC4[Password]

  • HKCUSoftwareTightVNCServer[Password]

  • HKCUSoftwareTightVNCServer[PasswordViewOnly]

  • HKCUSoftwareTigerVNCWinVNC4[Password]

Also searches for ‘passwd=/passwd2=’ in ultravnc.ini log file as you can see on following:

The malware tries to enumerate Credit Card Data from POS Software. Here is an example of scraping the memory by malware:

Command and Control (C&C) Traffic

NewPosThings checks if data is available for transfer to the command and control (C&C) server every 10 minutes. The collected data is sent to the server via HTTP protocol. The Malware performs C&C communication over port 80. Requests are made on a regular basis to statically defined domains such as:

The Malware transfers Credit Card data in Base64 format, here is an example:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: NewPosThings.C

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
Asterisk res_pjsip_pubsub Denial of Service (Jan 2, 2015)
Microsoft Security Bulletin Coverage (Feb 14, 2012)
Drive by download leads to RAT Trojan (Nov 08,2012)
AndroidLocker ransomware targeting android phones (May 15, 2014))
MS IE Style Remote Code Execution Issue (Nov 25, 2009)
Gandcrab Ransomware actively spreading in the wild
Hackers are actively trying to exploit vulnerable Microsoft Exchange Servers
Michael Jackson Video Trojan (June 26, 2009)