Earlier this month, security researchers discovered a new PoS malware family, which they named “LusyPOS” after a reference in Russian underground forums. We detect this as TSPY_POSLUSY.A. In their analysis, they mentioned that it had some characteristics linked to the Dexter family of PoS malware. It also had behavior similar to the Chewbacca PoS malware (which we detect as TSPY_FYSNA.A), which is known to use the Tor network to connect to its command-and-control (C&C) servers.
However, we believe that LusyPOS is more clearly related to Dexter than it is to Chewbacca, despite the usage of Tor. Dexter and Chewbacca have very distinct text strings used within their code. For example, some variable names are used in Dexter’s code which are not found in Chewbacca. Dexter is one of the most popular and long-running PoS malware families, and we closely monitor this particular threat in order to help protect our customers.
We’d earlier documented these names – and their uses – in our previous paper analyzing existing PoS malware families. Some of the strings that were identified in LusyPOS were also found in Dexter. For example, the following strings are known to be HTTP POST variables used by Dexter:
Similarly, the following are commands that are known to be processed by Dexter:
The same paper also contains strings used by Chewbacca; however the analysis of LusyPOS did not indicate these strings are present.
So what does this mean? The information suggests that this new LusyPOS malware family is more closely related to Dexter than Chewbacca. It’s possible that LusyPOS may be a new Dexter variant that has copied the TOR behavior of the newer PoS malware family. Considering the recognized threat that Dexter poses, this is a significant addition to the repertoire of existing PoS threats. Such a capability would be welcomed by cybercriminals, particularly during this time of year.
The original researchers note that it would be highly abnormal for PoS systems to connect to the TOR network, which is correct. Appropriate firewalls and other network solutions can be used to spot and block this activity as they are found.
Update as of 1:00 A.M. PST, December 10, 2014
We have edited this entry to clarify the reference to the relationship between LusyPOS and Chewbacca.