A never before seen module has been added to TrickBot malware that implements point-of-sale (POS) data collection functionality

TrickBot is a modular malware that is being actively created. In early November, TrickBot was updated with a password stealing capability, but the most recent update has made it even more dangerous, especially for hotels, retail outlets, and restaurants: Businesses that process large amounts of card payments.

The new module was discovered by security experts at Trend Micro who note that, at present, the module is not being deployed to record POS data such as credit/debit card details. At present, the new TrickBot malware module is only gathering data about whether an infected device is part of a network that supports POS services and the types of POS systems in use. The experts have not yet discovered how the POS information will be used, but it is highly probable that the module is being used for reconnaissance. Once targets with networks supporting POS systems have been selected, they will likely be subjected to further intrusions.

The new module, titled psfin32, is like a previous network domain harvesting module, but has been developed specifically to identify POS-related terms from domain controllers and basic accounts. The module achieves this by deploying LDAP queries to Active Directory Services which search for a dnsHostName that contains strings such as ‘pos’, ‘retail’, ‘store’, ‘micros’, ‘cash’, ‘reg’, ‘aloha’, ‘lane’, ‘boh’, and ‘term.’

The timing of the update, so near to the holiday period, implies that the threat actors are planning to take advantage of the busy holiday trade and are gathering as much information as possible before the module is used to collect POS data.

The recent updates to TrickBot malware have come along with a malicious spam email campaign (identified by Brad Duncan) which is focusing on companies in the United States. The malspam campaign uses Word documents containing malicious macros that install the TrickBot binary.

Securing from TrickBot and other data stealing malware requires a defense-in-depth approach to cybersecurity. The main attack way that threat actors use TrickBot is spam email, so it is essential for an advanced anti-spam solution to be deployed to stop malicious messages from being delivered to end users’ inboxes. End user training is also important to ensure employees are made aware of the danger of opening emails from unknown senders, launching suspicious email attachments, and visiting hyperlinks in those messages.

Antivirus solutions and endpoint security measures should also be used to identify and quarantine potentially malicious files in case malware infiltrated databases successfully.