The malware family is full of tricks, and now there is a new malware, NitlovePOS, that captures and tracks payment card behavior and scans infected machines.

New bottled old wine, POS malware brought by fishing

FireEye claims that hackers have made a new trick to phishing, using email themes with sensitive words to attract people's attention: looking for jobs, vacancies, internships, recruiting, resumes and the like. These phishing emails began in batches on May 20th and were bombarded in bulk with numerous reeled mailboxes. A doc file in CV_XXXX (four digits) format or a doc file of My_Resume_xxxx (four digits) may be included in the mail. At first glance, this kind of document is a bit like a resume, but it is just a macro virus.

Security experts unearth new POS malware NitlovePoS

If the victim has opened the document and the macro is enabled. At this time, the macro virus will automatically download and execute a malicious exe file from 80.242.123.155/exe/dro.exe. At the moment, this phishing campaign continues, and the malware that comes with the download is constantly being updated.

NitlovePoS running and killing

FireEye experts say:

"In order to deceive the victim to open the document, the document would pretend to be a 'protected document'.

However, we are not confused by the appearance, but the focus is more on the 'pos.exe', which is NitlovePoS, everyone suspects it is a virus against the pos machine. We speculate that once the attacker has selected the victim, it can remotely control the victim machine to download the POS virus. When we monitored, we found that among the many exe download links, only three links were downloaded pos.exe. ”

After the machine is infected, the malware adds itself to the registry startup. When NitlovePoS is running, you need to use "-" plus parameters to run normally, otherwise it will not have any malicious behavior. This special feature helps it bypass some simple security checks, especially those for automated inspections.

FireEye said:

"If you set the correct parameters for NitlovePoS, NitlovePoS will decode it in memory and start looking for data related to the payment card. If it is not successful, it will sleep for five minutes and then continue to try."

Prospects for similar POS malware

The NitlovePoS software is not special. Since 2015, a large number of POS malware have appeared, such as Punkey and FighterPOS.

FireEye experts warned:

"What our readers need to know is that we have a lot of ways to protect the POS environment. For example, the next generation firewall, it uses network isolation technology.

A key advantage of Next Generation Firewalls (NGFWs) is that they provide network isolation, partitioning application servers and data based on different risk points and security levels, and tight access control. ”

With the spread of POS malware, they are also easier to discover and detect. In addition, with the development of new technologies, even if different malware have certain similarities, it is still difficult to detect new variants. Therefore, cybercrime has also had new hopes, and new versions of POS malware with similar functions will continue to emerge to meet the needs of the cybercrime market.

Gaming Desk

This office desk features built-in support for all your gaming hardware, providing solutions for your headphones, speakers, and drinks. This home desk table can seamlessly take you from workstation to a battle station.

Our Computer Gaming Desk features a large monitor surface for placing all of your hardware. This office desk features built-in support for all your gaming hardware, providing solutions for your headphones, speakers, and drinks. This home desk table can seamlessly take you from workstation to a battle station.

Gaming Desk,Gaming Table Pc Desk,RGB Gaming Table,PC Gaming Table,Led Gaming Table

Suzhou Uplift Intelligent Technology Co., Ltd , https://www.uplifting-desk.com