New POS Malware Named Abaddon
Posted by: Timothy Weaver on 11/16/2015 09:44 AM
[
Comments
]
Cyber-criminals have been trying to infect point of sale terminals in time for Christmas with a new strain of malware dubbed AbaddonPoS.
ProofPoint researchers discovered the malware on point of sale (POS) terminals which had previously been infected with the Vawtrak banking trojan. Evidence suggests that the malware was written by the same criminals.
It said that the malware could infect a terminal via the Angler exploit kit or via an infected Microsoft Office document.
The researchers said: "AbaddonPoS employs a CALL instruction to push a function parameter onto the stack rather than simply using, for instance, the more common PUSH instruction. A CALL instruction pushes the next address onto the stack, which is typically used as a return address following a RETN instruction.”
The malware tries to locate credit card data by reading the memory of all processes except itself by first blacklisting its own PID using the GetCurrentProcessId API. Once that data is discovered, it sends this data back to a command and control server using a custom binary protocol instead of HTTP.
Vawtrak, a banking Trojan, downloaded TinyLoader, a downloader – which in turn, downloaded another downloader, which downloaded shellcode that turned into Abaddon.
Researchers with the firm also noticed two other mediums for the malware. In one, a user winds up getting hit by the Angler Exploit Kit, which uses a browser exploit to download Bedep, which then downloads Abaddon. In the second, a rigged Microsoft Word document downloads the Pony Loader, which then downloads Vawtrak, which then downloads TinyLoader, like the first exploit mechanism.
Source: TreatPost
ProofPoint researchers discovered the malware on point of sale (POS) terminals which had previously been infected with the Vawtrak banking trojan. Evidence suggests that the malware was written by the same criminals.It said that the malware could infect a terminal via the Angler exploit kit or via an infected Microsoft Office document.
The researchers said: "AbaddonPoS employs a CALL instruction to push a function parameter onto the stack rather than simply using, for instance, the more common PUSH instruction. A CALL instruction pushes the next address onto the stack, which is typically used as a return address following a RETN instruction.”
The malware tries to locate credit card data by reading the memory of all processes except itself by first blacklisting its own PID using the GetCurrentProcessId API. Once that data is discovered, it sends this data back to a command and control server using a custom binary protocol instead of HTTP.
Vawtrak, a banking Trojan, downloaded TinyLoader, a downloader – which in turn, downloaded another downloader, which downloaded shellcode that turned into Abaddon.
Researchers with the firm also noticed two other mediums for the malware. In one, a user winds up getting hit by the Angler Exploit Kit, which uses a browser exploit to download Bedep, which then downloads Abaddon. In the second, a rigged Microsoft Word document downloads the Pony Loader, which then downloads Vawtrak, which then downloads TinyLoader, like the first exploit mechanism.
Source: TreatPost
Comments
