New GamaPoS malware targets US companies


The Dell Sonicwall Threats Research team observed reports of a New POS family named GAV: GamaPOS.ABC. The POS Malware contains features such as memory scrapping functions like popular Point-of-Sale Trojan BlackPOS but this time the Malware spreading across United States through malicious emails that contain attachments such as macro-based malware Andromeda in the wild.

The POS Malware uses valid certificates to sign the malicious components to avoid detection by AVs.

Infection Cycle:


  • Detected as GAV: GAMAPOS.ABC (Trojan)
    • o dc035e61535d5db2ad08d6853c7759a3

    • o 6cabaef20e08803e2e9cd380aae00bc6

    • o 685f2a756a001598ec697911c2ee11cd

    • o 1c7baed4c317e610ea991751e5d9758d

    • o 575040751b4755ecf5c9394b76b5c41c

  • Detected as GAV: GAMAPOS.ABD (Trojan)
    • o 99fd9f118eaa969976f2defb61e4582e

The Malware adds the following files to the system:

  • %Userprofile%All Usersjane.exe [ Execrable dropper ]
  • %Userprofile%All Users _temp.dat [Key logger Log ]

The Malware adds the following key to the Windows registry to ensure persistence upon reboot:

The Malware uses multi component tools to grabbing information from the infected machine and uses legitimate code-signing certificates to avoid detection by AV Vendors.

GamaPOS retrieves a list of running processes; the malware is responsible for scraping the memory of current processes on the infected machine for credit card information periodically.

The malware installs key logger on the target machine and saves information to the _temp.dat file.

Here is an example:

Command and Control (C&C) Traffic

GamaPOS performs C&C communication over 1080 port. The malware sends your system information to its own C&C server via following format, here are some examples:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: GamaPos.ABC [(Trojan)]]
  • GAV: GamaPos.ABD [(Trojan)]]
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.