Trend Micro researcher Jay Yaneza says Point of Sales malware has begun using Microsoft .NET, following its release as open source last year.
Yaneza found the new so-called GamaPoS malware being distributed to US organisations including credit unions, developers, and pet care businesses through the resurgent Andromeda botnet. He says the use of .NET as a platform to build point of sales malware is unique and likely to be adopted by the criminal underground.
“GamaPoS holds the distinction of being a .NET scraper — something unseen in prior PoS threats,” Yaneza says .
“We can attribute this development to the fact that it is easier to create malware in the .NET platform and, now that Microsoft made it available as an open-source platform, more developers are expected to use it for their applications.
“This makes .NET a viable platform to use for attacks.”
Yaneza says GamaPoS uses Andromeda’s backdoors to spread in a shotgun fashion further infecting about four percent of the botnet’s existing victims.
The malware combines two malicious features including PsExec, which hackers used to help pop retailer Target last year, and the Mimikatz hack tool that is considered one of the best vacuumers of Windows credentials.
That combination grants attackers a high degree of capability to move laterally inside breached networks.
Victims are targeted using phishing scams that masquerade as would-be guidance on Payment Card Industry Data Security Standard (PCI DSS) or as information on installing Oracle’s MICROS, a popular payment operating system which it can also compromise.
GamaPoS will siphon Visa and Discover cards to its command and control servers over HTTPS.
The attack campaign organisers are thought to be also spreading the NitLovePoS payment operating system malware found in May.
“Using an old botnet as a shotgun method to cast a wide net for targets has its merits,” Yaneza says.
“Using spam and exploit kits to establish a large mass of bots enables operators to steal information from specific targets, some of which can be resold to other threat actors.”