Coming To a Break Room Near You: Point-of-sale malware

by Noah Dunker

At about 6:00 AM on July 4th, 2017 RiskAnalytics’ ThreatSweep platform identified a break room vending kiosk at a customer’s office that had been infected with a point-of-sale malware family that’s been called PoSeidon and FindPOS by various vendors since its initial discovery in 2015.

A large nationwide vendor that provides self-service kiosks was impacted, and an update was pushed out to these kiosks in the field. The kiosks and the break room supplies (such as drinks, candy, chips and other snacks) are often installed and maintained by local Value-Added-Resellers. In our analysis of the incident, it seems most likely that the larger vendor was compromised, and some or all of the kiosks maintained by local vendors were impacted. We’ve been able to identify at least two smaller vendors with local operations that have been impacted in two different cities though we are not naming any impacted vendors yet, as we’ve been unable to contact them directly.

This is a textbook example of an “Internet of Things” (IoT) threat: A network-connected device, controlled and maintained by a third party, which cannot be easily patched, audited, or controlled by your own IT staff.

The malicious traffic matched the format identified by Cisco in their 2015 write-up of PoSeidonRA Labs’malware reverse engineering team was able to decode the trivially-obfuscated parts of the command and control data stream, which revealed what was apparently a payment card PAN (16 digits, matching the Luhn verification checksum) and some other numeric data. Additional malware connections were made via SSL/TLS using well-known certificates that had been previously attributed to this malware family. The presence of the PoSeidon/FindPOS SSL certificate is enough of an indicator that we’re comfortable using it to identify and block C2 operations.

According to the Abuse.ch SSL Blacklist, the SSL certificate observed has a history of being used for other malware, including TorrentLocker ransomware in 2015.

An example of a PoSeidon form post exfiltrating data to command-and-control. Sensitive information redacted.

Table of indicators directly observed by RA Labs: PoSeidonIOC.txt

Additionally, every IP address between 185.164.34.15 and 185.164.34.23 inclusive seems to be serving up the malicious SSL certificate in question as of the time of publication. It is therefore assumed that the entire range is being abused. This doesn’t fit into a tidy CIDR for a firewall rule, though 185.164.34.16/29 is close, with 185.164.34.15 being outside the range.