New LockPoS Injection Technique Delivers Malware Directly into Kernel

Cyberbit malware researchers recently discovered a new injection technique employed by a new variant of the LockPoS point-of-sale (PoS) malware. According to their research, this technique involves creating a section object in the system’s kernel, calling a routine to map a view of that section into another process, copying code into that section, and then creating a remote thread to execute the mapped malicious code. It abuses ntdll.dll, a core DLL file of the Windows OS, to stealthily move from the user space into the kernel space and evade traditional antivirus detection as most are programmed to only monitor Windows functions in user mode. However, the kernel space in the Windows 10 OS is guarded, preventing kernel functions from being monitored. The NJCCIC recommends all administrators of PoS systems review the Cyberbit report and monitor network traffic for outgoing connections to unusual or malicious IP addresses, as LockPoS requires the ability to connect to a C2 server to complete the exfiltration of payment card data.