Cybercriminals are using thousands of compromised computers to target point-of-sale (PoS) systems from which they can steal payment card information.
The malware used in these attacks, dubbed BrutPOS by FireEye, was first spotted in February and was later analyzed in March by AlienVault, but the full scope of the operation wasn’t known at the time. For the time being, researchers don’t know exactly how the malware is distributed, but they have found a website that serves the threat, and they believe the attackers might have used specialized distribution services provided by other cybercriminals.
Once the malware infects a computer, it connects to a command and control (C&C) server from which it receives a list of usernames, passwords and IP addresses. This information is used to access Remote Desktop Protocol (RDP) servers and compromise PoS systems.
The malware connects to port 3389, which is the default port for RDP servers, and if the port is open, it uses the credentials supplied by the C&C to carry out a brute-force attack. If the RDP server is successfully breached, the credentials used to access it and its IP address are sent back to the attackers.
The list of usernames includes “backupexec,” “datacard,” “manager,” “pos,” “micros” and “microssvc,” which indicates that the cybercriminals are targeting specific systems, FireEye said.
So far, FireEye has identified five C&C servers in Russia, Germany and Iran, though three of them are currently inactive. By accessing the control panel from which the attackers control the BrutPOS botnet, security researchers determined that a total of over 5,600 devices have been compromised, but only some of them are active at any given time.
The infected devices are spread out across 119 countries, but most infections were spotted in Russia, India, Vietnam, Iran, Taiwan, Ukraine, Turkey, Serbia, Egypt and Mexico.
As far as the targeted RDP servers are concerned, most of them are located in the United States. In fact, of the total of 60 systems compromised by the attackers over a two-week period, 51 are in the United States, the security firm said.
Furthermore, a honeypot set up by FireEye has shown that the attackers connect to compromised servers from which they attempt to take credit card information. Once they’re done with a system, the cybercriminals format (wipe) its hard drive to cover their tracks. Researchers have also uncovered an executable that extracts payment card data from running processes.
Based on the Russian language interface of the BrutPOS administration panel and the IP addresses used to connect to it, FireEye believes that the individuals behind this operation are most likely located in Russia or Ukraine.
“POS systems remain a high priority target for cybercriminals,” FireEye researchers noted in a blog post. “While new malware and more advanced attacks are taking place, standard attacks against weak passwords for remote administration tools presents a significant threat.”