LockPos, the new point-of-sale malware being distributed by a once-dormant command and control server

Criminal gang’s malware threatens to steal credit card information from poisoned payment terminals.

David Bisson
@DMBisson

A once-dormant command-and-control server for Flokibot has woken up and begun to distribute a new point-of-sale (PoS) malware family.

The new threat, which researchers at Arbor Networks call “LockPoS,” uses run keys in the Windows Registry to achieve persistence before communicating with its command-and-control server over HTTP.

POST data exchanged with that server consists of “data chunks” pertaining to the infected machine. The malware can then use return data sent over in a C2 response to update its configuration or inject an executable file into explorer.exe, among other functions.

Sign up to our newsletter
Security news, advice, and tips.
Initial configuration for LockPoS (Source: Arbor Networks)

As for its ability to steal credit card information, LockPoS isn’t exactly ground-breaking. Dennis Schwarz of Arbor Networks explains:

“The malware’s PoS credit card stealing functionality works similarly to other PoS malware: it scans the memory of other running programs looking for data that matches what credit card track data looks like.”

An example credit card exfiltration by LockPoS. (Source: Arbor Networks)

But what is unusual is that LockPoS shares command-and-control infrastructure with Flokibot.

Perhaps the criminals responsible for Flokibot created LockPoS in an attempt to diversify their portfolio of threats. And if that association weren’t enough, Flokibot and LockPoS’s shared command-and-control server (treasurehunter[dot]at) bears the same name as TREASUREHUNT, a separate PoS malware family seemingly designed for a specific “dump shop” of credit card information.

PoS malware gangs are always developing new strains to target businesses’ point-of-sale terminals. To counter this persistent threat, companies need to regularly patch their electronic tills and monitor their systems for anomalous activity.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.