CenterPOS Malware explained

CenterPOS (also known as "Cerebrus") is a point of sale (POS) malware discovered Cyber Security Experts.[1] It was discovered in September 2015 along with other kinds of POS malware, such as NewPOSThings, BlackPOS, and Alina.[2] There are two versions which have been released by the developer responsible: version 1.7 and version 2.0.[3] CenterPOS 2.0 has similar functionality to CenterPOS version 1.7. The 2.0 variant of CenterPOS malware added some more effective features, such as the addition of a configuration file for storing information in its command and control server.[4]

Overview

CenterPOS has been used to target retailers in order to illegally obtain payment card information using a memory scraper.[5] It uses two distinct modes to scrape and store information: a "smart scan" and a "normal scan".[6] At the normal scan mode, the malware looks at all of the processes on a device and determines which ones are not currently running processes, are not named "system", "system idle process" or "idle", and do not contain keywords such as Microsoft or Mozilla. If the process meets the criteria list, the malware will search all memory regions within the process, searching for credit card data with regular expressions in the regular expression list. In smart scan mode, the malware starts by performing a normal scan, and any process that has a regular expression match will be added to the smart scan list. After the first pass, the malware will only search the processes that are in the smart scan list. The malware contains functionality that allows cybercriminals to create a configuration file.[7]

Process Details

CenterPOS malware searches for the configuration file that contains the C&C information. If unable to find the configuration file, it asks for a password. If the password entered is correct, then it payloads the functions to create a configuration file.[8] This malware is very different from other point of sale system malware in that it has a separate component called builder to create a payload.[9]

The CenterPOS malware looks for the credit and debit card information through smart scan mode and then encrypts all the scraped data using Triple DES encryption.[10] Then the memory scraped data is sent to the operator of the malware through a separate HTTP POST request.[2]

See also

Notes and References

  1. Web site: CenterPOS . CenterPoS POS Malware Variant . Cyber.nj.gov . 2016-10-02.
  2. Web site: Security Experts at FireEye discovered a new strain of POS malware dubbed CenterPOS that is threatening the retail systems . Securityaffairs.co . 2016-01-29 . 2016-10-02.
  3. Web site: Centerpos: An Evolving Pos Threat . Fireeye.com . 2016-01-28 . 2016-10-02.
  4. Web site: CenterPOS – The evolution of POS malware . Iicybersecurity.wordpress.com . 2016-01-29 . 2016-10-02.
  5. Web site: Numaan Huq . A look at Point of Sale RAM scraper malware and how it works . Nakedsecurity.sophos.com . 2013-07-16 . 2016-10-02.
  6. Web site: CenterPOS: An Evolving POS Threat . Securitybloggersnetwork.com . 2016-10-02 . https://web.archive.org/web/20170109010340/http://securitybloggersnetwork.com/author/kristen-dennesen/page/6/ . 2017-01-09 . dead .
  7. Web site: Two New PoS Malware Affecting US SMBs . TrendLabs . 2015-09-28. 2016-10-09.
  8. Web site: New Version Of CenterPOS Malware Taps Rush To Attack Retail Systems . Darkreading.com . 28 January 2016. 2016-10-02.
  9. Web site: Two new point-of-sale threats target SMBs in the U.S . Scmagazine.com . 2013-10-31 . 2016-10-02.
  10. Web site: New Version of CenterPOS Malware Emerges . Onthewire.io . 2016-01-28 . 2016-10-02.