DareDevil PoS Malware, Infects Ticket Machines and Electronic Kiosks
A new strain of malware named “d4re|dev1|” (DareDevil) has been discovered by the researchers at IntelCrawler. This malware has been detected on a number of Point of Sale(POS) solutions, including QuickBooks Point of Sale Multi-Store, Figure Gemini PoS, Harmony WinPOS, and OSIPOS Retail Management System. “This new strain of malware, which is hitting Mass Transit Systems, acts as an advanced backdoor with remote administration, having RAM scrapping and keylogging features,” researchers say in a blog post.
The malware has been disguised as a legitimate process, making it difficult to track. It can disguise itself as a Google Chrome or as PGTerm.exe, which appears to belong to Pay&Go client product, a payment software solution. It can also be disguised as “hkcmd.exe,” a process that regularly facilitates hot key interception on systems equipped with Intel graphics. The malware hasn’t been kept limited to POS systems. It is also attacking mass transit systems as well as ATM machines. Although the guarantee of gain is much lesser in ATMs and transit systems, fact remains that the security here is much more lax than on POS ones. The attackers might have believed that they can stay on for longer in these systems.
It also is unique in the sense that it contains a feature to upload files, thus allowing itself to upgrade itself if need be. Another use, experts believe, is to allow itself to add more features to itself in the future. Alternatively, the option can be used to add new backdoors and tools on the compromised machine, in order to move laterally across the network. This could suggest that the cybercriminals are interested in stealing information from as many machines as possible, focusing on large networks connecting a high number of payment terminals for increased profit.
PoS malware is specifically designed to look for card data directly in the memory of the compromised system, where it is found in an unencrypted state for a short period of time, as long as the payment information verification takes.
Security found wanting
Considering that many people and e-commerce businesses depend heavily on POS for their business, it is generally expected that these systems would have the best possible security mechanisms in place. Research in hindsight of the discovery of daredevil has busted this myth.
IntelCrawler discovered that employees would check their emails on the terminals, play games, browse the Internet, send messages, and even view social network activity. It may be that this is how the machines became infected because “these cases have a common denominator of weak passwords and logins, many of which were found in large 3rd party credential exposures,” the security company says.
One of the infected ticket vending machine was identified in August in Sardinia, Italy, and attackers obtained the access exploiting credentials for a VNC (Virtual Network Computing). “These kiosks and ticket machines don’t usually house large daily lots of money like ATMs, but many have insecure methods of remote administration allowing for infectious payloads and the exfiltration of payment data in an ongoing and undetected scheme,” states IntelCrawler.