How to Protect Retail POS Systems from Ransomware, Advanced Cyberattacks

Of all the IT resources retailers maintain, it’s hard to claim that any system is more important than their point-of-sale (POS) systems.

POS systems bring in revenue, as well as tie into other IT infrastructures, such as finance, customer analytics or inventory within the supply chain.

Retail, as a whole, is the industry most subject to cyberattacks, according to a recent Computer Weekly article. And as my colleague earlier outlined in “Retail POS Fraud: The Rising Challenge,” the POS systems are key attack targets. The credit card data and, in some cases, electronic protected health information (ePHI) retailers (think about your local pharmacy) hold are gold to attackers.

POS systems have evolved over time. Many retailers are now using mobile and tablet-based POS systems, often with cloud-based, back-end systems. Given their lower price points when compared to more traditional POS options, these newer systems help many small- to medium-sized businesses take advantage of the availability and efficiency of POS without requiring heavy hardware or infrastructure investments.

Ransomware Targeted Retail POS Systems

But this means more protected information than ever is traveling between the POS front- and back-end systems. The attack surface for retailers using these systems is broader than ever. POS malware, which is disguised and silently injected on to target systems, has been the cause of a number of publicized retail data breaches over the past year.

Retailers are increasingly targeted by ransomware, which has the effect of stopping retail operations — and revenue generation — in its tracks. In addition to the immediate impact on revenue and profit (payouts to ransomware authors are not cheap and often unsuccessful), a ransomware attack can have a long-term impact on customers’ perception of retailers as safe businesses to shop. That alone can be fatal to small- and medium-sized retailers. A breach can also have PCI compliance implications.

Cerber ransomware delivers this message demanding payment for data.

Like other forms of cyberattacks, ransomware code can be heavily disguised and not detected by many anti-malware products and services.

Using RTDMI to Protect Retail POS Systems

For retailers that have stepped up their game with newer POS systems, more advanced security controls, such as technology that integrates sandbox security and real-time memory inspection, are required.

For example, the SonicWall Capture Advanced Threat Protection (ATP) sandbox service is particularly adept at rooting out malware that might otherwise escape detection. Our patent-pending Real-Time Deep Memory InspectionTM (RTDMI) engine forces malware to reveal itself in in a secure, multi-sandbox environment. Using machine learning, RTDMI can identify malicious code in under 100 nanoseconds.

Through static inspection and dynamic analysis, RTDMI also can uncover malware hidden inside Microsoft Office files and PDFs. SonicWall Capture Labs has verified that the RTDMI engine can stop new forms of malware that attempt to exploit Meltdown and Spectre vulnerabilities.

Our new white paper, “Why Retail Networks Need Real-Time Deep Memory Inspection,” explains how RTDMI works and what it detects. The paper walks through two examples of how RTDMI was able to discover malware before it was able to infect target systems, including the case of Cerber ransomware shown above.

RTDMI is available as part of Capture ATP at no additional cost to SonicWall customers. Retail IT and security professionals, take the time to review the white paper and learn more about how Capture ATP and RTDMI can improve the security of the POS systems and infrastructure you count on.

Get the White Paper: Why Retail Networks Need RTDMITM

Retail is a prime target for new multi-vector malware that is increasingly difficult to detect. SonicWall Real-Time Deep Memory InspectionTM (RTDMI) adds depth of protection against emerging malware, at no additional cost to Capture Advanced Threat Protection (ATP) users. Get this exclusive white paper to explore This white paper examines how RTDMI works and what it detects.

Windows file type “.SettingContent-ms” is vulnerable to command execution using the DeepLink attribute

A vulnerability in the Windows file type  .SettingContent-ms has been reported last month that could allow arbitrary code execution on a targeted machine. “.SettingContent-ms” introduced in Windows 8 is a shortcut file that can link users to a Windows 8/10 settings page. It is a simple XML document with a <DeepLink> tag to specify the location of the settings page to open and it is allowed to run commands like PowerShell or cmd.exe. Attackers have abused this feature by using it for download and execution of malicious payloads. The SettingContent-ms file can be embedded in Microsoft Office documents by utilizing the Object Linking and Embedding (OLE) feature and it can even evade from Windows 10 defense such as Attack Surface Reduction (ASR). Hence Microsoft has recently blocked .SettingContentms files from being activated via OLE in Outlook and Office documents by adding it to the dangerous file formats.

As expected attackers have changed course from Office to PDF documents by embedding SettingContent-ms file in a PDF and delivering it through email campaigns. Lets take a look at a PDF sample that exploits the above mentioned vulnerability.

When launched the PDF sample with an embedded SettingContent-ms file, a warning message pops up about the potential harm to a computer.

When user clicks OK,  ‘OpenAction’ given in the PDF gets performed i.e JavaScript function rfunc900() specified under the ‘OpenAction’ gets invoked which in turn launches the embedded ‘downl-SettingContent-ms’ file.

The embedded file ‘downl.SettingContent-ms’  shown below, is copied to the temp directory and launched automatically. The highlighted <DeepLink> tag contains a PowerShell command which downloads a malicious payload from 169.239.*.* and starts executing it silently.

The malicious payload Update12.exe upon execution communicates with the payload server to bring down more malicious payloads.

Trend Graph:

If any user accidentally clicks OK to open SettingContent-ms while launching the PDF, malicious command can get executed to compromise the user machine. Since Microsoft blocked this file format in Office documents, more such exploits can be seen for PDF

SonicWALL Threat Research Lab provides protection against this exploit via the following signature:

SPY 5206 Malformed-PDF-SettingContent

AZORult infostealer first spotted by Sonicwall RTDMI engine

SonicWall RTDMI engine observed a malware campaign delivering a new variant of AZORult Stealer. AZORult is an infostealer, which collects various information from the infected system and sends it to the server. The non-existence of this malicious file at the time of detection on popular malware search portals (VirusTotal or Reversing Labs) indicates the effectiveness of the RTDMI engine.

Fig-1 : Virustotal results for the malicious file

Analysis of AZORult
Upon analysis, it is found that to avoid detection the malware is packed with a custom packer.
After unpacking, it first retrieves the information from the system which includes following:

  1. Machine GUID
  2. User Name
  3. Machine Name
  4. Windows version

Fig-2 : GUID

Fig-3 : Querying GUID

Fig-4 : Get computer name

Fig-5 : Get user name

After retrieving the information it creates a mutex name to ensure only one instance is running on the system.

The malware encrypts the information with a hardcoded XOR key “0x6521458A” and concatenates them.
After concatenating the encrypted data, it urlencodes them. The urlencoded data is as below:

All these stolen information are sent to the C&C server.

The malware connects to this IP address “”.

Fig-6 : XOR loop to decrypt stolen information

The malware also steals the accounts stored in browsers and various software that are present on the infected machine example skype, telegram etc.

On further analysis, it is also found that the malware looks for cryptocurrency information stored on the infected machine and steals these information along with the passwords.

The following image shows the strings related to the information the malware looks for in the system:

Fig-7 : Cryptocurrency related string

Fig-8 : Cryptocurrency and password related strings

The malware also takes the IP address and country code of the infected machine by querying the following URL:

All the above information are stolen and are sent to the C&C.

Indicators of Compromise: 2b9533f2065ed12f2c8d22d84252dcd5bee725cfaede304efd014cc6bdcc7c5d


Malware demands Bitcoin fine for fraudulently detecting pirated software

Running pirated software comes with risks. Counterfeit software packages commonly come bundled with adware or malware that can infect your system. But most importantly, using pirated copies is illegal and copyright infringement may result to serious legal penalties. The Sonicwall Capture Labs Threats Research team has observed a malware pretending to be from a government agency and warns the victim that pirated software was found running in their system and wants the fine be paid in cryptocurrency.

Infection cycle:

This malware pretends to be an archive file and uses the following icon:

Upon execution it drops an archived file in the temp directory:

  • %TEMP%\

It then creates component files in the user profile directory under a randomly named folder such as the following:

  • %USERPROFILE%\LOEcook\jwEUMokU.exe
  • %USERPROFILE%\LOEcook\jwEUMokU.inf

The malware adds the hidden attribute to these component files and folder.

It then makes the following remote connections:

It overwrites files all photos, music and archive files in the victim’s machine with its own executable so every time one of these files is accessed a copy of the malware is actually executed. It keeps the original filename and icon for the previously overwritten files thus bmp files appear to still look like image files as seen in the screenshot below.

But tweaking the folder options and unhiding extensions for known file types will reveal that these files are in fact executable files.

Upon successful infection, it displays the following warning message from “National Security Bureau” and locks the screen of the victim machine until a fine is paid in bitcoins.

It also adds a run key in the registry to ensure that it executes the malware and locks the screen upon reboot.

  • HKCU\Sofware\Microsoft\Windows\CurrentVersion\Run  jwEUMokU  “%USERPROFILE%\LOEcook\jwEUMokU.exe”

Quickly checking the bitcoin address 98tX7NmLg6o8qcTT2Uv9cSBVzN3oEozpv referenced on the warning message appears that this malware might not have been really successful.

But following one of the outgoing transactions of this address we found an address that was known to be related to cryptolocker main chain. And thus we can conclude that this malware must be by the same malware author.

Malware authors, particularly ransomware operators, are known to generate multiple addresses and have been observed to execute several coordinated transactions in an attempt to further obfuscate the “paper trail” between two or more bitcoin addresses.

Sonicwall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Virlock.E_2 (Trojan)
  • GAV: BackDoor.AAAB (Trojan)

What Is SonicWall Partner Enabled Services?

The technology industry is one of the fastest-moving business sectors today. To protect privacy, data, applications and assets, security infrastructures must operate at the same speed. Advanced cyber threats require new products and functionalities, but IT departments are often lost in the sea of information they have to absorb to stay current.

And that’s where technology partners are needed most.

To ensure SonicWall Partners are fully equipped to address this need, the SecureFirst Partner Enabled Services (PES) program offers partners expert training and guidance so they can effectively deploy and support SonicWall’s latest security offerings.

Partners enrolled in the program have grown their revenue in excess of 15 percent year over year. All Partner Enabled Services courses are completely free and accessible through the SonicWall University platform. The only requirement is to be part of the SonicWall SecureFirst Partner program.

There are three different Authorizations within the program, with different layers of complexity:

  • Implementation Services Authorization: Designed for SecureFirst Partners looking to provide basic implementation services for state-of-the-art SonicWall firewalls.
  • Solution Services Authorization: Enables SecureFirst Gold and Platinum Partners to perform assessments of firewall configurations through a Security Health Check service, which provides a report outlining suggestions to maximize the security of their customer’s network.
  • Architecture Services Authorization: Equips SecureFirst Gold and Platinum Partners to implement more complex or larger-scale SonicWall products. For example, Authorized Architecture Services Partners are trained to implement DPI-SSL with the help of our automated certificate-deployment tool, which drastically reduces deployment time. Partners are also enabled to conduct remote implementation services for SonicWall NSv virtual firewalls.

After completing the required training, partners become SonicWall Authorized Service Partners. Authorized Services Partners can display the SecureFirst Authorized Services Partner go on their website and leverage marketing materials to give prospects and customers added piece of mind knowing that their security team has a high level of expertise with SonicWall solutions.

SonicWall’s Consistent Value, Cyber Security Effectiveness Earn ‘Recommended’ Rating from NSS Labs

For far too long the modern organization has been told it must pay hundreds of thousands of dollars (or even millions) for powerful, enterprise-grade security.

But for more than 25 years, SonicWall’s mission has been to deliver consistent value and powerful cyber security for organizations of all sizes and budgets. For the fifth time since 2012, this has been validated by one of the most trusted, fact-based organizations in the industry: NSS Labs.

In its 2018 group test of next-generation firewalls (NGFW), NSS Labs strongly positioned SonicWall and the NSa 2650 firewall in the upper-right ‘Recommended’ quadrant of the 2018 NSS Labs Security Value MapTM (SVM).

“NSS Labs is committed to independent testing that helps enterprises make informed cybersecurity decisions,” said NSS Labs CEO Vikram Phatak in SonicWall’s official announcement. “With ‘Recommended’ ratings for five years, SonicWall next-generation firewalls are an excellent choice for any company seeking devices with strong security and consistent product quality to evolve their security architectures. We applaud SonicWall’s focus on product consistency and security effectiveness.”

This year’s in-depth firewall comparison was comprised of totals based on security effectiveness, block rates, stability, performance, product purchasing price, maintenance, installation costs, required upkeep, management and installation. In its head-to-head comparison tests, NSS Labs verifies that NSa 2650:

  • Remains one of the highest-rated and best-value NGFWs in the industry, with a 98.8 percent security effectiveness rating
  • Delivers second-best total cost of ownership (TCO) with $4 per protected Mbps
  • Tested 100 percent effective in countering all advanced HTTP evasion, obfuscation and fragmentation techniques
  • Earned 100 percent ratings in stability and reliability testing

Many factors are taken into consideration when weighing vendor options, measuring security efficacy and calculating TCO.

Security Effectiveness of Firewalls

NSS Labs conducts one of the industry’s most respected, comprehensive and fact-based validation programs for a full range of cybersecurity products, including network and breach security, endpoint protection, cloud and virtual security, and more.

For this year’s comparison test, the SonicWall NSa 2650 next-generation firewall was compared against other industry offerings. During the NSS Labs evaluation, SonicWall NSa 2650 endured thorough testing exercises via the NSS Exploit Library, which exposed the appliance to more than 1,900 exploits.

To ensure real-world testing conditions, NSS Labs engineers utilize multiple commercial, open-source and propriety tools to launch a broad range of attacks. SonicWall NSa 2650 blocked 98.8 percent of all attacks was 100 percent reliable during testing. SonicWall also was successful in countering 100 percent of all advanced HTTP evasion, obfuscation and fragmentation techniques.

The SonicWall NSa 2650 strong security effectiveness and findings within the NSS report are applicable to the entire SonicWall NSa next-generation firewall series.

Total Cost of Ownership for Firewalls

“SonicWall offers the second-lowest TCO with $4 cost per protected Mbps.”

The cyber security industry’s pricing models are, frankly, out of date. Too many legacy vendors believe their old way of doing business — charging hundreds of thousands, or even millions of dollars — is beneficial to end customers and prospects. In some cases, high-end hardware is required, but there should also be powerful, cost-effective options for today’s business.

SonicWall understands and embraces this change.

It’s the reason we continually monitor and refine our pricing structures to ensure every organization is able to protect themselves from today’s most malicious cyberattacks. And we’re proud to say that NSS Labs found SonicWall to offer the second-lowest TCO with $4 cost per protected Mbps.

NSS Labs calculates TCO across a three-year period. At a high level, the formula includes:

  • Year 1 Purchase Price
  • Year 1 Installation & Labor
  • Year 1 Maintenance Costs
  • Year 2 Maintenance Costs
  • Year 3 Maintenance Costs

According to NSS Labs, “Calculations are based on a labor rate of $75 (USD) per hour and vendor-provided pricing information. Where possible, the 24/7 maintenance and support option with 24-hour replacement is used, since enterprise customers typically select that option. Pricing includes one enterprise-class CMS to manage up to five devices.”

As a best practice, enterprises and security-conscious organizations should include TCO as part of their NGFW evaluations, including:

  • Acquisition costs for NGFW and a central management system (CMS)
  • Fees paid to the vendor for annual maintenance, support and signature updates
  • Labor costs for installation, maintenance and upkeep

Beware of weaponized PDF

SonicWall sees an older PDF exploit being active and successful in tricking users into executing an arbitrary local program specified in a PDF document. This PDF does not require JavaScript to be enabled nor the executable to be attached to the PDF. The malicious payload i.e the executable is embedded in the PDF by obfuscation using Hex encoding.  A PDF file can launch any command on the operating system by specifying the launch action. But it requires user confirmation through popup message before executing the command. Later the vulnerability was even modified to fool users by modifying the text of the popup message.


Adobe Reader 9.3.3 patched this vulnerability by implementing a blacklist to restrict the file formats that can be opened through PDF launch actions i.e block certain executable files by default. Foxit Reader 3.3 has also introduced a new feature called Secure Trust Manager that displayed a warning message. Unlike Adobe, Foxit reader doesn’t block the launch command execution but leaving it to viewers discretion.


Lets view the PDF sample in the latest Foxit reader 9.1. I have enabled Safe Reading mode on Foxit Reader and launched the pdf sample. Then I got a pop up with the message “File is set to be launched by PDF program but the operation is not allowed as safe reading is turned ON”. Disable safe reading was checked already & ‘Ok’ was highlighted too. It’s easy for any user to go wrong & click OK to proceed. Also with social engineering attack, users can be easily deceived.
Find below the pdf content where the malicious executable is hex encoded & embedded right after the PDF header. PDF object strings followed by the payload is obfuscated too to avoid detection
Find below the PDF object 5 where the launch action is specified. cmd.exe gets launched when opened the PDF and then it creates a VB script (1.vbs) and starts executing it with a windows script host and later starts executing the malicious file msf.exe (cscript //B 1.vbs && start %Temp%\\\\msf.exe).
Find below the ‘1.vbs’ created from the shell command above which in turn creates an executable msf.exe  from the hex encoded content in the PDF and drops it into the user temp directory.
msf.exe then creates a reverse shell by connecting with the attacker machine, through which code or command execution is achieved by the attacker

Trend Graph:

The trend line below shows how this vulnerability is being exploited today

Any malicious payload can be embedded in a PDF using this method and delivered to users as attachments in phishing or socially engineered emails or as links to download websites.


SonicWALL Threat Research Lab provides protection against this exploit via the following signature

GAV 33952: Malformed.pdf.MT.1

FBI screen locker trojan poses as Fortnite mod

The Sonicwall Capture Labs Threats Research Team have come across malware purporting to be a mod for the popular online multiplayer game Fortnite.  Mods for such popular games are commonplace and it is quite typical that they will be laden with malware.  Unlike most ransomware nowadays this malware is a simple lockscreen trojan and does not encrypt files and hold them ransom.  Another unusual element is that payment is small at $100 USD.  Rather than demanding crypto for payment, the victim is required to load $100 USD onto a prepaid credit card and submit the card details to the operator via email.

The Trojan uses the following Fortnite icon:

Upon infection the Trojan adds the following key to the registry to enable persistence after reboot:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Epic Games “<original run location>”

It does not add or modify any files on the filesystem.

The executable file contains the following metadata:


It displays the following page in fullscreen mode:

The page is locked on the screen and cannot be removed unless the correct code is entered.  After reboot, it is displayed again due to the added registry key.

The “About Visa Gift Cards” button shows the following messagebox:


The “Help” button shows the following messagebox:


The “About” button shows the following messagebox:


We contacted the operator concerning payment and received the following reply:

Fortunately, the unlock code (290274887) is publicly known.  The following message is displayed once the code is entered:


SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: FBILocker.RSM (Trojan)

Maintaining Your Most Valuable Assets

by Charles Ho
SonicWall Outside Regional Sales Director

Creating a team of skilled security professionals is the single biggest gap for businesses today. While this gap is fueling the need for managed security services, managed security service providers (MSSPs) also face the same problem.

MSSP staff members are constantly being approached by recruiters, competitors and even their customers. The value that MSSPs deliver to their customers is a direct correlation to the talented people manning their operations. How can you better keep your security operations center (SOC) analysts happy, engaged and committed for the long term? Compensation is obvious, but I want to focus on three arguably more important factors: technology, team building and enablement.


Throughout an analyst’s day, they’re touching different technologies at the customer site and in your SOC. Having access to the right tools can make the job significantly more effective and efficient, which cuts down on frustration and increases productivity.

Involve analysts in technology choices

Which threat detection technology should your customer deploy? Ask your analyst! They understand what’s effective but more importantly, which technologies make their job easier. One brand’s alerts may only show a title, but another brand may provide comprehensive access to packet data as well as additional context from threat intelligence feeds. This is even more important when evaluating SOC tools. Changing to a more cost-effective tool that your analysts hate will only result in employee attrition.

Look at automation

Many MSSPs I talk to are looking at automation to reduce costs by increasing the analyst-to-customer ratio. However, the bigger benefit is being able to reduce the amount of Level 1 work an analyst needs to perform. Analysts love working on net-new cases where they can potentially unravel a significant breach and will, in many cases, work overtime to continue to triage. The opposite is also true, where working on repetitive cases can lead to fatigue.

Team Building and Culture

Analysts don’t work alone. The more they can work as a team, the more effective they’ll be. The camaraderie of a team helps employees believe they’re part of something bigger than themselves. Here are some suggestions to improve working environment:

Promote joint activities outside of work

  • Provide access to entertainment at the office with a focus on multiplayer activities, like ping pong
  • Plan regular team-building activities, like a staff lunch
  • Encourage involvement in company activities
  • Rotate analysts appropriately so everyone gets a chance to participate

Encourage interaction between SOCs

  • Hold regular video conference hand-offs; everyone needs to know everyone’s face
  • Offer cross-SOC training opportunities
  • Create options to relocate between SOCs

Enablement and Career

Just like any other job, a network security employee wants to grow professionally. Not only do they want to enhance their skills, but they also want the opportunity to progress to a bigger role. Unless you’re a global MSSP, the latter can be a challenge as the company structure can be very flat. Some suggestions for professional development:

Implement training and mentor programs

  • Particularly for a new analyst, it can be very rewarding to learn from someone senior. Establishing mentor relationships not only allows the new analyst to grow, but can also give the senior analyst a sense of accomplishment, especially if they’re not a manager.
  • Encourage and support external training activities. Sending someone to the yearly Black Hat global information security conference can be seen as a big reward, but attending smaller — and often free — vendor trainings can have similar effects.

Expand job scopes

It’s not always possible to promote an individual, but providing them unique opportunities to show off their capability can be an alternative to career progression.

  • Use case walkthroughs with the team to have analysts share interesting findings. This is even better if they can share their discoveries with people outside the SOC, such as the sales team.
  • Provide SOC tours to customers and have analysts walk through their daily activity and share sample cases.
  • Use monthly/quarterly customer reviews (onsite or remote) to show value to customers beyond reporting and alerting.

SOC analysts are your most valuable asset. Keep them happy and your business will prosper.

Learn more information about SonicWall’s SecureFirst partner program, which helps accelerate our partners’ ability to be thought-leaders and game-changers in the ever-evolving security landscape.

EVIL LOCKER Ransomware actively spreading in the wild.

The SonicWall Capture Labs Threat Research Team observed reports of a new variant family of EVIL LOCKER [EVILLOCKER.RSM] actively spreading in the wild.

EVIL LOCKER encrypts the victims files with a strong encryption algorithm until the victim pays a fee to get them back.

Contents of the dropper for EVIL LOCKER ransomware

Infection Cycle:

The Ransomware adds the following files to the system:

  • Malware.exe
    • %App.path%\ [File Name].[].EVIL
      • Instruction for recovery

Once the computer is compromised, the Ransomware copies its own executable into %Userprofile% folder runs the following commands:


The Ransomware encrypts all the files and appends the .EVIL extension onto each encrypted file’s filename.

After encrypting all personal documents the Ransomware shows the following webpage containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

Sonicwall Capture Labs provides protection against this threat via the following signature: