Every holiday season, retailers become prime targets for point of sale (POS) and endpoint-based attacks due to the much higher volume of in-person and online transactions that take place. Attackers know that the high volume of transactions and need to minimize downtime leaves most IT teams in retail little time to detect unusual behavior.
Security researchers are seeing increasingly sophisticated tools used by attackers to steal cardholder data as it traverses the memory of the POS system. One such tool (or family of tools) is named “Cherry Picker” and refers to its targeted method involving scraping the memory of very specific processes that contain credit card numbers and other payment information. This conservative approach minimizes exposure and lessens the chance of behavioral based detection. Current versions are multi-threaded as well, harvesting cardholder data and exfiltrating it via FTP in tandem, significantly reducing the time it takes for the actual theft to occur.
Other evasive techniques leveraged by Cherry Picker include encryption of stolen data when transmitting to an external source, a timeout parameter to specify exactly when and how often the malware runs, and an effective file infection mechanism to ensure persistence. Recent versions have even included a cleanup function that goes to great lengths to hide the malware’s tracks and thwart any forensic research done following a breach.
Impact on you
- When your business depends on the ability to take payment for the goods or services you offer, a breach of those payment systems could cause a temporary shutdown.
- The longer you are down, the greater loss you’ll incur, especially when the holidays are your peak season.
- Known breaches can also have a significant negative impact on your business’s reputation, especially when the malware could have been picked up by IDS or other detection methods.
How AlienVault Helps
LevelBlue Labs continues to perform cutting edge research on threats like these, collecting large amounts of data and then analyzing it to extrapolate expert threat intelligence. The Labs team has already released IDS signatures and a correlation rule to the AlienVault Unified Security Management (USM) platform so customers can identify activity related to this exploit:
- System Compromise, Trojan infection, CherryPicker POS
For further investigation into the Cherry Picker POS malware and visit the Open Threat Exchange (OTX) to see what research members of the community have done:
https://otx.alienvault.com/pulse/565e305d4637f2388ab093bc/
