NitlovePOS: New Point of Sale malware that steals payment card information

29623190_sIn recent times we have seen the rise of POS or Point of Sale malware (Remember PoSeidon?) designed to extract and transmit payment card information. According to this post by FireEye, a new variant of this malware family has emerged, one that is capable of stealing track one and track two payment card data. This malware, Nitlove, scans the processes on a compromised system, and after obtaining the payment card data, sends it back to the controlling webserver using SSL. Nitlove is mostly spread through malicious macro files attached to spam emails.

Victims infected through malicious macro files found in spam emails

Instead of first targeting their victims, the cybercriminals send out bulk spam messages through spoofed Yahoo! Mail accounts with a generic subject like: “Any jobs?”, “Internships?”, “My Resume” and so on. This indiscriminate spam campaign began on Wednesday, May 20, 2015 with the obvious goal of infecting as many users as possible with the attached malware.

Each of the spam emails contained an attached document file named CV_[4 numbers].doc or My_Resume_[4 numbers].doc which were embedded with a malicious macro. In order to convince the user to allow the macro to run, the documents even proclaim to be “Protected”.

Source: FireEye

Once executed, the macro downloads one of many malicious files present in the included url: “80.242.123.155/exe/”. For example 80.242.123.155/exe/dro.exe. It turns our several of the malicious files are named “pos.exe” which suggests the intended target of the cybercriminals might be point of sale machines.

After infecting the system, the malware ensures its survival by creating a registry key that enables it to start-up automatically after reboot. The malware also sets up communications to one of three hardcoded C2 servers:

  • systeminfou48[.]ru
  • infofinaciale8h[.]ru
  • helpdesk7r[.]ru

Then begins the memory scrapping. After searching for any data resembling the payment card format, the malware sends matching data back to its creators through a secure SSL channel, making detection at the network-level more difficult.

The cybercriminals may even have a control panel to help orchestrate their malicious operations. More and more variants of such POS malware emerge, as the existing ones are detected and blocked. It looks like the cybercriminals are not going to give up easily.

Have a nice (malware-free) day!