LockPOS is a stealthy point of sale (POS) malware with a rich heritage. Greek mythology states that Athena, Goddess of War, sprang as a fully armed warrior from the head of Zeus. Likewise, in 2016, the POS malware called Flokibot emerged from the Zeus banking trojan and showcased a 40% increase in execution rates. LockPOS is an evolution of Flokibot, and current indicators suggest it is the most advanced iteration of the Zeus-family malware.
Cylance Threat Research dissected LockPOS to see how this silent threat infiltrates systems without detection. The major innovation involves using API hashing when injecting itself into the Microsoft Windows® kernel. POS malware has long relied upon exploiting API calls, but LockPOS uses a method which renders itself undetectable to many antivirus (AV) programs.
Our testers have observed LockPOS using the following injection process:
- The core payload of LockPOS is encrypted
- LockPOS calls APIs to perform payload decryption
- The APIs are called using API hashing which makes the activity difficult for AV to detect
- The decrypted executable loads into memory
- Once executed, the malware makes additional hashed API calls from ntdll.dll to inject itself into explorer.exe
- The malware is injected from memory into the kernel space
Once injected, LockPOS attempts to communicate with a command and control (C2) server at bbbclearner[dot]at/_x/update[dot]php. This C2 server is not used by any previously discovered malware, though it contains a back-end panel similar to the treasurehunter[dot]at C2 server. Additionally, LockPOS queries several unregistered domains in a possible attempt to further cloak its activity or hide its actual C2 domain. A list of these false domains is found here, under the IOC - Domains heading.
Why is LockPOS Important and Why Should I Be Concerned?
LockPOS is designed to steal payment card information from point of sale (POS) devices. To understand the damage potential of this malware, consider the following:
- In 2016 Americans processed $2.56 trillion in debit card payments through 69.5 billion transactions
- In 2015 Americans processed $3.08 trillion in payments on credit cards
- In 2014 POS systems accounted for 28.5% of all reported breaches
- POS systems are the second fastest growing environment for reported data breaches (behind corporate internal networks)
When vast amounts of money circulate through relatively insecure systems, criminals take notice. This is reflected by the recent history and continued growth of POS attacks. In 2013, retailer Target lost the names, addresses, and contact information of 70 million customers to a POS attack. A year later, Home Depot lost 56 million of their customer’s credit card details to a similar attack. In 2016 over a thousand Wendy’s locations (about 18% of total locations) reported being compromised by POS malware.
Recent research from IBM estimates a data breach will cost a business $158 per stolen record. With tens of billions of transactions going through POS systems each year, LockPOS poses a serious threat to companies of all sizes.
Cylance Stops LockPOS
Our tests show that CylancePROTECT® is effective at stopping LockPOS. While the malware has evolved some interesting new tricks to avoid detection, it still can’t fool the AI/ML driven protection of Cylance. Other security analysts studying LockPOS have observed, "This is not something that can be done by five people in a lab. This is an operation."
While the size and sophistication of the threat actors behind LockPOS remain unknown, our customers need not worry. Cylance tackles malware prevention with mathematical models which have analyzed over seven million features taken from over a billion files. While the threat actors work harder, Cylance’s engineers continue to work smarter, keeping your IT security one step ahead of the villains.