PoSeidon

PoSeidon PoS malware, first identified by researchers in 2015, scrapes memory on PoS systems to steal credit and debit card data. The malware self-updates, contains a keylogger component designed to steal credentials for the LogMeIn remote access application, uses obfuscation techniques to avoid detection, and has direct communication to the exfiltration servers, most of which are hosted on Russian domains. In March, the malware was modified to incorporate a persistence monitoring capability. PoSeidon actively monitors PoS system processes to maintain infection and functionality. If the malware is removed from the system, the monitor process waits two minutes and re-infects the system.

Reporting

  • March 2016: PoSeidon PoS malware was modified to incorporate a persistence monitoring capability. (Accept Local)
  • March 2017: Attackers used the PoS malware to infect 24x7 Hospitality Technology terminals, used at establishments of Select Restaurants Inc., including Winberie’s Restaurant and Bar in Princeton and Summit, New Jersey; Black Powder Tavern in Valley Forge, Pennsylvania; and the Rusty Scupper in Baltimore, Maryland. (KrebsOnSecurity)

Technical Details

  • Cisco's Talos Group provides technical details on the PoSeidon malware, available here.