AbaddonPOS

AbaddonPOS malware was first identified by Proofpoint in October 2015, after discovering an infection that resulted from the Vawtrak Trojan. In this case, Vawtrak downloaded multiple payloads including TinyLoader and shellcode that downloaded the AbaddonPOS malware. At this time, AbaddonPOS features include anti-analysis, code obfuscation, custom protocol for exfiltrating data, locating of credit card data, and persistence. AbaddonPOS malware has also been observed spreading through the Angler Exploit KitBedep infections, and the Pony Loader Trojan. AbaddonPOS searches for credit card information by reading memory processes. The malware uses a single hardcoded IP address as its command-and-control (C2) address and encoding to obfuscate exfiltrated data. AbaddonPOS is under active development and is likely to continue spreading via email-based threats to target PoS terminals and harvest payment card data.  

Reporting

  • May 2016: A financially motivated actor sent out phishing emails targeting mostly retail companies, attempting to install TinyLoader and AbaddonPOS PoS malware. (Proofpoint)
     
  • May 2016: AbbadonPOS was updated with code to check blacklisted processes (or processes that wouldn't otherwise be checked) for credit card data, and a whitelisted process list to scan for common PoS process names. (Graham Cluley)

Technical Details

  • Proofpoint provides technical details on AbaddonPOS malware, available here

One example of the AbaddonPOS malware infection chain. Image Source: proofpoint