LockPos, the new point-of-sale malware actively spreading in the wild. (Jul 14, 2017)
The SonicWall Threats Research team observed reports of a new variant POS family named GAV: LockPOS.A actively spreading in the wild. LockPOS malware affecting point-of-sale systems has been discovered to rely on Windows Explorer to deliver stolen card data to the attackers.
![](http://software.sonicwall.com/gav/LockPos.A_files/image001.png)
Infection Cycle:
The Trojan adds the following keys to the Windows registry to ensure persistence upon reboot:
![](http://software.sonicwall.com/gav/LockPos.A_files/image002.png)
Once the computer is compromised, the malware copies its own executable file to %Allusersprofile%Application Data folder With Random name and then injects Explorer.exe to collects information from target system.
LockPOS retrieves a list of running processes; the malware is responsible for scraping the memory of current processes on the infected machine for credit card information periodically.
![](http://software.sonicwall.com/gav/LockPos.A_files/image003.png)
The malware tries to Enumerate Credit Card Data from POS Software. The hackers use the following API functions such as:
-
FindResourceW
-
CryptDecrypt
-
RtlDecompressBuffer
The malware generates two files [Random Name].exe and[Random Name].bin in All user profile folder. The [Random Name].exe file it’s a dropper and [Random Name].bin file contains encrypted Credit Card information.
The malware sends an HTTP request to its own C&C server such as following example:
![](http://software.sonicwall.com/gav/LockPos.A_files/image004.png)
Command and Control (C&C) Traffic
LockPOS performs C&C communication over HTTP protocol.
The malware sends HTTP request to its own C&C server with following formats, here is an example:
![](http://software.sonicwall.com/gav/LockPos.A_files/image005.png)
We have been monitoring varying hits over the past few days for the signature that blocks this threat:
![](http://software.sonicwall.com/gav/LockPos.A_files/image006.png)
SonicWall Gateway AntiVirus provides protection against this threat via the following signatures:
-
GAV: LockPOS.A (Trojan)
-
GAV: LockPOS.A_2 (Trojan)