LockPos, the new point-of-sale malware actively spreading in the wild. (Jul 14, 2017)


The SonicWall Threats Research team observed reports of a new variant POS family named GAV: LockPOS.A actively spreading in the wild. LockPOS malware affecting point-of-sale systems has been discovered to rely on Windows Explorer to deliver stolen card data to the attackers.

Infection Cycle:

The Trojan adds the following keys to the Windows registry to ensure persistence upon reboot:

Once the computer is compromised, the malware copies its own executable file to %Allusersprofile%Application Data folder With Random name and then injects Explorer.exe to collects information from target system.

LockPOS retrieves a list of running processes; the malware is responsible for scraping the memory of current processes on the infected machine for credit card information periodically.

The malware tries to Enumerate Credit Card Data from POS Software. The hackers use the following API functions such as:

  • FindResourceW

  • CryptDecrypt

  • RtlDecompressBuffer

The malware generates two files [Random Name].exe and[Random Name].bin in All user profile folder. The [Random Name].exe file it’s a dropper and [Random Name].bin file contains encrypted Credit Card information.

The malware sends an HTTP request to its own C&C server such as following example:

Command and Control (C&C) Traffic

LockPOS performs C&C communication over HTTP protocol.

The malware sends HTTP request to its own C&C server with following formats, here is an example:

We have been monitoring varying hits over the past few days for the signature that blocks this threat:

SonicWall Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: LockPOS.A (Trojan)

  • GAV: LockPOS.A_2 (Trojan)

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.