New malware injection technique poses retail risk
LockPOS, a type of malware targeting point-of-sale devices that has been on the radar of the retail sector since last year, may now be able to benefit from a new code injection method that allows it to evade common detection methods, according to a blog post from Cyberbit, which claimed to discover the new injection method.
Meir Brown, director of research at Cyberbit, told Retail Dive via e-mail that the company is not aware of any malware attacks against retailers in which the new method has been used, but he added, "it is certainly a risk" to retailers.
Brown further described the malware injection method as previously unpublished, but similar to one used with FlokiBot, another strain of malware that targeted POS track data last year, a similarity which implies both LockPOS and FlokiBot were created by the same author.
Cyberbit goes into great technical detail on its blog as to how this injection method works and why it poses a major challenge even to companies that are trying to actively detect and protect against such malware. Brown gave Retail Dive a more condensed, though perhaps only slightly less dense, outline of how the injection method works, and what makes it such a potential headache:
"This malware is one of the most advanced injection techniques we’ve seen at Cyberbit since it calls the lowest levels of the Windows operating system (the kernel) directly, without accessing Windows APIs. This is a sophisticated way to evade security systems which typically use hooks in the Windows user-space, over the Windows API, to detect malicious activity, such as code injection. This technique bypasses these hooks – since it calls the kernel directly – using system calls. Monitoring system calls in the kernel is not possible today due to Windows patch guard. That is why this technique if used in the wild cannot be detected by regular hooks used by traditional [anti-virus] products."
The POS malware uses the injection into Explorer.exe process to search the memory of every running process to scrape credit card information, similar what happened in the recent Forever21 data breach, said Brown. That incident, in which it was not immediately clear that malware had been installed on the retailer’s POS devices, showed how malware can sometimes evade initial detection efforts.
Brown was able to detect the injection technique using its own endpoint detection platform, which he said detected traces this attack left "when creating persistence in the registry and by the enumeration it does for running processes." He added, "The major risk in this new tactic lies in its new approach, since other malware can utilize this technique and generate a highly stealthy malware, which will be very difficult to detect by traditional security products."
He recommended retailers use such endpoint detection platforms to perform heuristic detection based on dynamic behavior analysis and memory forensics.
Ultimately, the message for retailers here is never to assume you have all the malware detection and protection you need, and to keep evaluating the tools and methods that are in place. The bad guys will keep getting more creative and better at what they do, so you have to as well.