PoSeidon

PoSeidon PoS malware, first identified by researchers in 2015, scrapes memory on PoS systems to steal credit and debit card data. The malware self-updates, contains a keylogger component designed to steal credentials for the LogMeIn remote access application, uses obfuscation techniques to avoid detection, and has direct communication to the exfiltration servers, most of which are hosted on Russian domains. In March, the malware was modified to incorporate a persistence monitoring capability. PoSeidon actively monitors PoS system processes to maintain infection and functionality. If the malware is removed from the system, the monitor process waits two minutes and re-infects the system.

Reporting

  • March 2016: PoSeidon PoS malware was modified to incorporate a persistence monitoring capability. (Accept Local)
  • March 2017: Attackers used the PoS malware to infect 24x7 Hospitality Technology terminals, used at establishments of Select Restaurants Inc., including Winberie’s Restaurant and Bar in Princeton and Summit, New Jersey; Black Powder Tavern in Valley Forge, Pennsylvania; and the Rusty Scupper in Baltimore, Maryland. (KrebsOnSecurity)
  • July 2017: Unidentified attackers breached the network of Avanti Markets, a company that produces self-service vending kiosks, and sent a malicious update containing PoSeidon to the kiosks. This breach compromised users' payment card data and may have exposed biometric data as newer kiosks accept payment in the form of a fingerprint scan. Avanti Markets published notice about the incident on their website. (KrebsOnSecurity)

Technical Details

  • Cisco's Talos Group provides technical details on the PoSeidon malware, available here.
  • RiskAnalytics provides IoCs associated with the Avanti Markets breach here.