Electronic Kiosks & Ticketing Systems Targeted By New ‘Dare Devil’ Malware

Media Division | December 4, 2014

Malware targeting POS systems has become common place in the last few years, but new malware types are attempting to cause more damage than just stealing financial data from retailer checkouts.

A new malware called ‘Dare Devil’, hacker name: d4re|dev1, has been identified by researchers at IntelCrawler and it is capable of compromising Figure Gemini POS, QuickBooks Point of Sale, OSIPOS Retail Management System, and Harmony WinPOS. Hackers can use this malware as an advanced backdoor as well as to start keylogging features.

“This new strain of malware, which is hitting Mass Transit Systems, acts as an advanced backdoor with remote administration, having RAM scrapping and keylogging features,” IntelCrawler researchers revealed via a blog post.

PoS malware has been in the limelight courtesy of several data breaches involving high-profile retail giants, such as Home Depot and Target. Hackers first infect PoS systems and then use the malware to collect payment card information from the system RAM where the data is temporarily stored with specialized software that processes transactions.

In case of Dare Devil, cyber criminals are able to use the malware to upload files to infect systems and then install more attack tools within the local networks. Researchers also revealed that hackers can update an existing malware software for more access to a retail chain network.

The researchers, while investigating PoS breaches, came to know that the employees of the compromised retailers weren’t paying attention to security policies and some of them were even using PoS systems to browse the internet, check emails, play games, and browse social media.

The malware under question is the type that is used by serious cyber criminals; these groups don’t just want to target one PoS terminal, but want to breach enterprise wide networks, which have interconnected PoS systems to accept customer payments and return large sets of spoils to C2 servers (command-and-control).

What made the malware unique is that it was also used to breach electronic ticketing machines and electronic kiosks systems, which were installed in public areas. A ticket vending machine found in Sardinia, Italy, was breached with a remote administration protocol called VNC (Virtual Network Computing).

Kiosks and ticket vending machines don’t store the amount of cash in quantities as automated teller machines do, but they have remote administration vulnerabilities, which can activate infectious payloads as well as aid hackers in undetected schemes of payment information.

Dare Devil can also use remote payloads to update itself on an ad hoc basis through Google Chrome, and with processes named PGTerm.exe and hkcmd.exe; this can facilitate the installation of more backdoors, and such an incursion can easily obviate traditional threat detection system.

Protecting against Dare Devil and other PoS malware

For businesses, PoS malware is becoming a nightmare, but there are ways to protect PoS systems from such malware attacks. Here are a few measures retailers and companies using PoS systems can take:

Protect PoS credentials with actionable intelligence: It is important for PoS vendors to use threat intelligence solutions like Massive’s Strixus to ensure credentials don’t go out in the open. Such solutions include advanced monitoring and threat detection capabilities that notify about suspicious activity in local networks, which is essential for retailers to stay ahead of the curve.

Educate employees: As mentioned by Dare Devil researchers, employees were browsing the web through PoS systems. They should be educated about avoiding such activity on PoS terminals and do the web work on separate machines. Companies can also restrict what employees can browse.

Update software: Outdated PoS machines are easy to bypass than machines with newer software. Remember, PoS equipment wasn’t designed to last a lifetime; just as patches and software for new computer systems are released, PoS owners should keep their machines constantly updated. Also, they may need to be replaced with time.

Remember to plan your physical and digital security to give your machines the best chance against PoS malware. These tips are a good starting point.

Massive's Media Division publishes timely news and insights based on current events, trends, and actionable cross-industry expertise.