• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Industry News   »   Cloud Computing   »   New RAM scraper malware discovered: What it is, how it works and how to protect against it

New RAM scraper malware discovered: What it is, how it works and how to protect against it

  • Posted on:April 24, 2015
  • Posted in:Cloud Computing, Current News, Current News, Industry News, Vulnerabilities & Exploits
  • Posted by:
    Trend Micro
0

Less than two years ago, much of the world was introduced to RAM scraping malware thanks to the retail breach involving Target. While this type of attack has been seen since 2011, the 2013 Target breach was the largest-scale infiltration event that a RAM scraper had ever been involved in.

Since then, RAM scraper malware has become a favorite of sorts for malicious actors. Due to the ability to target a company's point-of-sales system directly, a number of RAM scraper malware attacks have been carried out since the infamous Target breach. These resulted in other considerably impactful and damaging breaches, including one related to Home Depot, which is now thought to be the most extensive breach yet.

Earlier this year, researchers discovered a new strain of RAM scraping malware, known as PoSeidon, that also seeks to target the plain text data archived in the memory of a store's PoS system. Today, we'll examine this new sample, its similarities to other RAM scraping malware and strategies that can help prevent a breach of this kind.

RAM scrapers: Nothing new
As noted, this type of attack didn't begin with the Target breach. Dark Reading contributor Mathew Schwartz pointed out that hackers have been utilizing this type of malware for a number of years now. The first sample recognized that year was Trackr, also known as Alina, which infected a series of hotels, an Australian auto dealership and at least one institution of higher learning. However, the RAM scraper-based attack on Target "set a new high," according to Schwartz, due to the number of records hackers were able to access and compromise.

"Because of the scale of the Target breach, this is probably one of the biggest incidents, if not the biggest incident, that has occurred," said security researcher Graham Cluley.

Then, just under a year later, came the breach involving home improvement retailer Home Depot, where cybercriminals again leveraged a RAM scraper to infiltrate the chain's PoS system. This attack proved to be even larger than that of Target, where a total of 56 million customer payment cards had been compromised – 16 million more than had been impacted by the Target breach, according to The Wall Street Journal.

PoSeidon: New kid on the block
Since the attacks on Target and Home Depot, security researchers and retailers alike have trained their focus on this type of malware sample, working to better understand how such infiltrations can take place, and how they can be prevented. Recently, researchers from Cisco's Security Solutions team uncovered a new point-of-sale Trojan that serves to scrap the RAM to identify and compromise payment card information.

According to Computerworld, the new strain has been dubbed PoSeidon, which is actually made up on three malware components working in tandem to breach and scrape sensitive data. The malware includes a keylogger, a loader and a memory scraper that has keylogging capabilities as well.

The keylogger is a key part of this malware, as it enables hackers to snoop and steal authentication credentials for a remote access application. The sample is able to delete these credentials and profile information when users enter them, forcing them to enter the data a second time and allowing the keylogger to capture the details.

"Past studies have showed that PoS terminals are typically compromised through stolen or brute-forced remote access credentials, as many of them are configured for remote technical support," wrote Computerworld contributor Lucian Constantin. "[T]his keylogger is potentially used to steal remote access credentials that are needed to compromise point-of-sale systems and install PoSeidon."

Once the credentials are in place, the loader component is installed, which establishes the registry keys required to ensure the malware's consistent presence, even after a system reboot. At this point, the malware downloads the FindStr file from its command-and-control server, enabling the sample to identify payment card numbers being ran through and stored on the PoS system.

While these functions are typical to any other RAM scraping malware, there is something that sets PoSeidon apart from other infections.

"Unlike other PoS memory scrapers that store captured payment card data locally until attackers log in to download it, PoSeidon communicates directly with external servers and can update itself automatically," Constantin wrote.

Researchers went public with their findings after the PoSeidon discovery, hoping to warn retailers and other organizations that this new sample was a threat. Currently, there have been no reports of PoSeidon being discovered in connection with a data breach in the wild.

Protecting against a RAM scraper
While protecting against this type of threat can be difficult, there are strategies companies can adopt to improve their chances of mitigating their vulnerability. The first step is understanding what type of businesses are at risk.

Although the majority of high-profile breaches involving RAM scraper malware have involved the retail sector, this isn't the only industry that is at risk. Naked Security contributor Numaan Huq noted that organizations in education, food services, hotel and tourism and health care are also targets for hackers.

In addition, experts suggest utilizing monitoring capabilities to maintain visibility of all the points where a hacker could strike. This type of technology can help identify suspicious activity that could be associated with the beginning stages of an attack.

"To defend against RAM scraping, it's a good idea for enterprise IT security managers to make sure preventative and detective measures are in place for the organization's high-value targets, typically devices where sensitive data resides or that may represent a way to easily obtain access to it," wrote TechTarget contributor Nick Lewis.

In addition, employees should be taught what to look for to help identify an attack of this kind. For example, the PoSeidon malware deletes users' authentication credentials when initially entered, enabling the sample to capture this information when it is input a second time. If an employee notices their username and password inexplicably deleted from the login portal, they should alert the IT team.

Lewis also suggests having a plan in place that will govern how the organization will react if an attack of this kind is discovered.

"Putting a process in place to follow up on potential RAM-scraping attacks (or any attacks, for that matter) is as important," Lewis wrote. "If network-monitoring systems identify when a high-value target, such as a stationary point-of-sale terminal, starts communicating with new systems on an internal network in the enterprise or on the Internet, this alert should not only draw the attention of the security staff, but also be investigated quickly."

This can help prevent an attacker from further compromising the network and mitigate the overall damage caused by the breach. Working with a third-party security expert like Trend Micro can also be helpful to ensure that all sensitive points are covered and the proper monitoring security is in place. 

Related posts:

  1. Study shows PoS RAM scraping malware still a threat
  2. PoS RAM Scraper Malware: The Overnight Sensation
  3. New malware arrives every day: How to protect personal information
  4. New malware arrives every day: How to protect personal information

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Advanced Cloud-Native Container Security Added to Trend Micro's Cloud One Services Platform
  • Trend Micro Goes Global to Find Entrepreneurs Set to Unlock the Smart Connected World
  • Winners of Trend Micro Global Capture the Flag Demonstrate Excellence in Cybersecurity
  • Companies Leveraging AWS Well-Architected Reviews Now Benefit from Security Innovations from Trend Micro
  • Trend Micro Announces World's First Cloud-Native File Storage Security
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.