Three malware strains —GratefulPOS, Emotet, and Zeus Panda— have sprung to life with new active campaigns just in time for the holiday shopping season.
While GratefulPOS appears to be a new malware strain, the other two, Emotet and Zeus Panda, have just suffered minor updates to allow them to go after online shops more active this time of year.
Of the three, the most intriguing one is GratefulPOS, a malware strain that targets Point of Sale (POS) systems. Discovered by the Target Cyber Threat Intelligence & Detection Team and analyzed by security researchers from RSA's FirstWatch division, GratefulPOS appears to a code mashup between multiple malware families such as FrameworkPOS, TRINITY, BlackPOS, and BrickPOS.
First spotted in mid-November, GratefulPOS was designed to execute on POS systems running x64 versions of Windows 7 or later.
According to RSA researchers, the malware appears to be installed manually, meaning attackers must compromise POS networks beforehand.
Under the hood, GratefulPOS is largely based on FrameworkPOS, meaning it shares most of its features [1, 2, 3, 4], such as the ability to scrape the RAM for payment card data and its ability to send collected data to its C&C server as encoded and highly obfuscated DNS queries.
"This DNS exfiltration method employed by the POS malware is clever," says RSA researcher Kent Backman. "It effectively negates a common POS system control employed by payment card merchants, which is blocking direct access to the Internet from the POS systems. If the POS systems point to internal DNS servers, this malware should have no problem exfiltrating credit card data en masse without direct connect to the Internet."
A second malware strain that has seen an increase in activity is Zeus Panda, the same malware family spotted a few weeks back altering search page results to point users to malicious download links.
According to a report released last week by Proofpoint, since mid-November, the operators of the Zeus Panda trojan have changed their regular modus operandi.
"We have observed Zeus Panda banking Trojan campaigns that have an increasing focus on non-banking targets with an extensive list of [browser] injects clearly designed to capitalize on holiday shopping and activities," says the Proofpoint staff.
"More specifically, these Zeus Panda (aka Panda Banker) campaigns expanded their injects to a variety of online shopping sites for brick and mortar retailers like Zara, specialty online retailers, travel sites, and video streaming sites, among others," researchers said.
Apart from an updated target list, Zeus Panda remained the same trojan we knew before, working by infecting users and then injecting malicious code that steals login credentials into web pages found on its target list.
Last but not least, Bromium researchers spotted an interesting Emotet variant that was released just in time to catch the late holiday shopping season.
In an email to Bleeping Computer, a Bromium spokesperson said the newly identified Emotet version "was able to evade over 75% of antivirus engines tested."
Bromium says this was possible because Emotet adopted polymorphic features and it continually repackaged malicious code to avoid detection.
"In samples that are literally minutes old, Bromium observed the control server updating the malware faster than anti-virus programs are updating their awareness," experts said.
Malware using polymorphic features isn't anything new, but this appears to be the first time we see Emotet employing this technique.