AbaddonPOS

In recent years, cybercriminals have been getting more and more inventive and expanding their operations. Such shady individuals have been taking more interest in PoS (Point-of-Sale) devices recently. It was widely believed that PoS devices were very secure, but the cybercriminals have come up with some cunning techniques to penetrate such machines. Attacks on PoS devices do not affect the business directly usually but siphons money from their customers instead. Needless to say, when the information about such an attack comes out, the business' reputation can be damaged gravely.

AbaddonPOS is a malware family, which targets businesses in the United States. It is believed that this threat originates from the TA530 hacking group. It is not known where the hackers are from, but they seem to attack businesses dealing with retail and hospitality in English speaking countries such as the United States, the United Kingdom and Australia mainly.

TA530 employ different methods in spreading AbaddonPOS, some of which will be exploit kits, Trojan downloaders, and emails containing corrupted attachments. When AbaddonPOS worms its way into a system, it will scan the running processes focusing on the ones that are dealing with the PoS device's software. To save time, AbaddonPOS is programmed to seek out number strings, which are likely to contain credit card information only – number strings starting with 3, 4, 5 or 6 and number strings longer than (or equal to) 13 and lesser than (or equal to) 19. Then, the numbers AbaddonPOS has picked out will be run through the Luhn algorithm, which is meant to confirm the validity of the data. Then, when confirmed, the data is encrypted using an XOR encryption algorithm and sent to the TA530's servers, which is hardcoded in the AbaddonPOS executable file that the researchers analyzed.

To make AbaddonPOS more difficult to detect and analyze, the attackers have applied checks to ensure that the malware is not being run in a controlled environment, as well as some obfuscated code that aims to make the lives of malware researchers a tad more difficult. However, their efforts were in vain as AbaddonPOS was studied thoroughly and anti-malware applications can detect and remove it without much fuss.