A new module has been added to TrickBot malware that adds point-of-sale (POS) data collection capabilities.
TrickBot is a modular malware that is being actively developed. In early November, TrickBot was updated with a password stealing module, but the latest update has made it even more dangerous, especially for hotels, retail outlets, and restaurants: Businesses that process large volumes of card payments.
The new module was identified by security researchers at Trend Micro who note that, at present, the module is not being used to record POS data such as credit/debit card numbers. Currently, the new TrickBot malware module is only collecting data about whether an infected device is part of a network that supports POS services and the types of POS systems in use. The researchers have not yet determined how the POS information will be used, but it is highly likely that the module is being used for reconnaissance. Once targets with networks supporting POS systems have been identified, they will likely be subjected to further intrusions.
The new module, named psfin32, is similar to a previous network domain harvesting module, but has been developed specifically to identify POS-related terms from domain controllers and basic accounts. The module achieves this by using LDAP queries to Active Directory Services which search for a dnsHostName that contains strings such as ‘pos’, ‘retail’, ‘store’, ‘micros’, ‘cash’, ‘reg’, ‘aloha’, ‘lane’, ‘boh’, and ‘term.’
The timing of the update, so close to the holiday period, suggests the threat actors are planning to take advantage of the increase in holiday trade and are gathering as much information as possible before the module is used to harvest POS data.
The recent updates to TrickBot malware have been accompanied by a malicious spam email campaign (identified by Brad Duncan) which is targeting businesses in the United States. The malspam campaign uses Word documents containing malicious macros that download the TrickBot binary.
Protecting against TrickBot and other information stealing malware requires a defense-in-depth approach to cybersecurity. The main attack vector used by the threat actors behind TrickBot is spam email, so it is essential for an advanced anti-spam solution to be deployed to prevent malicious messages from being delivered to end users’ inboxes. End user training is also essential to ensure employees are made aware of the danger of opening emails from unknown senders, launching suspicious email attachments, and clicking hyperlinks in those messages.
Antivirus solutions and endpoint security controls should also be deployed to identify and quarantine potentially malicious files in case malware makes it past perimeter defenses.