By GoldSparrow in Malware

Cybersecurity experts often set out to detect new malware or hacking methods. In one such campaign, they came across an interesting piece of malware – a new PoS (Point-of-Sale) malware dubbed NitlovePoS. It is not confirmed if the perpetrators of the campaign are a known hacking group or newcomers onto the scene of cybercriminals. The attackers have not been very creative when it comes to the subject of the spam emails – it would always be something regarding Cvs, job interviews and internships. The corrupted attachments were named 'My_Resume_[RANDOM NUMBERS].doc' or 'CV_[RANDOM NUMBERS].doc.'

If the users fall for the trickery of the cyber crooks and download the attached file, which is macro-laced, and then attempts to open it, they would see a message stating that the document is locked and they need to give authorization to Microsoft Office to 'Enable Content' and 'Enable Editing.' In case the users give this permission, they would trigger the execution of the macro script and give a green light for the attack.

The attackers are spreading a large variety of malware using this method of propagation. They spread threats called 'jews2.exe', 'dro.exe,' '5dro.exe,' as well as a variant of the Pony Stealer malware. Among these threats is NitlovePoS.

When a victim triggers the NitlovePoS's macro script, the threat will drop its threatening payload, 'defrag.scr' and 'defrag.vbs,' in the %TEMP% folder. 'defrag.scr' is the backbone of the attack, while 'defrag.vbs' is meant to keep an eye on the processes that are being run on the compromised system and re-launch 'defrag.scr' in case it gets shut down. To ensure that 'defrag.vbs' is not halted, NitlovePoS also gains persistence via the Windows Registry, making sure that if 'defrag.vbs' gets terminated, it would be relaunched automatically.

The purpose of NitlovePoS is to track the running processes and seek viable credit card information by acting as a memory scraper. When NitlovePoS detects credit card info, it would collect it and then siphon it to the C&C (Command and Control) server of the attackers. The server appears to be located in Russia (with the exact IP address, alongside three other Russian domains linked to the attack.

Anti-malware software has been known to take PoS malware very seriously and may be capable of detecting and removing such threats easily. However, small businesses usually tend to overlook their cybersecurity and endanger their clients by not dedicating enough time, research, and funds to train their employees, following best-practices, and obtaining reputable anti-spyware


Most Viewed