The danger of having the data of thousands of credit cards recorded makes Point of Sale (POS) terminals a critical system, as well as an increasingly sought-after target of cybercrime. Attacking these devices anonymously online is relatively straightforward, and selling the data on the black market is profitable.

We’ve recently detected infections at a significant number of bars and restaurants in the United States whose POS terminals were attacked by two variants of credit card theft malware.

The malware samples that we’ll be analyzing are the following:

File name                          MD5

Epson.exe                           69E361AC1C3F7BCCE844DE43310E5259

Wnhelp.exe                       D4A646841663AAC2C35AAB69BEB9CFB3

Epson.exe presents an invalid certificate:

Both samples were compiled with Microsoft Visual C ++ 8, and are not packaged or encrypted. Once the malware is executed in the system, it proceeds to analyze the different system processes in search of credit cards.

Here we can see how they go through the different processes looking only for those that can contain credit cards in memory:

In the case of the “Epson.exe” sample, it will search for credit cards in the following processes:

Program name Description           
notepad++.exe Text editor
CreditCardService.exe Microsoft
DSICardnetIP_Term.exe NETePay for Mercury
DSIMercuryIP_Dial.exe NETePay for Mercury
EdcSvr.exe Aloha Electronic Draft Capture (EDC)
fpos.exe Future POS
mxSlipStream4 / mxSlipStream5 / mxSlipStream.exe / mxSwipeSVC.exe SlipStream POS System Transaction Processor by mXpress
NisSrv.exe Windows 8
spcwin.exe/ Spcwin.exe / SPCWIN.exe /SPCWIN.EXE POSitouch (Food Service Industry POS System)

On the other hand, the “Wnhelp.exe” sample contains a list that is used to discard the processes to be analyzed. If the process name coincides with any item on the list, it will not be analyzed in the search for credit cards:

Discarded processes:
explorer.exe alg.exe
chrome.exe wscntfy.exe
firefox.exe taskmgr.exe
iexplore.exe spoolsv.exe
svchost.exe QML.exe
smss.exe AKW.exe
csrss.exe OneDrive.exe
wininit.exe VsHub.exe
steam.exe Microsoft.VsHub.Server.HttpHost.exe
devenv.exe vcpkgsrv.exe
thunderbird.exe dwm.exe
skype.exe dllhost.exe
pidgin.exe jusched.exe
services.exe jucheck.exe
winlogon.exe lsass.exe


In both samples, once the process it wishes to analyze is obtained, whether because it was contained on the list – as with Epson.exe – or because it was discarded – as with Wnhelp.exe – it will create a new thread:

And will then proceed to analyze the memory using an algorithm specifically designed to check whether the found data is from credit cards:

The Wnhelp.exe sample is executed by the attackers with the command “install”, in such a way that it creates a service to ensure its persistence in the system:

The service is called “Windows Error Reporting Service Log”.

The sample Epson.exe works in the same way, although attackers can configure the name of the service as they want through parameters:

install [Service name] [Service description] [Third parameter]

Each variant connects to a different command and control (C&C) server:

Wnhelp.exe wp-admin/gate1.php


They can then receive different orders from the attacker:

Commands Description
update = [URL] Malware update.
dlex = [URL] Downloads and runs file.
chk = [CRC_Checksum] Updates the file’s checksum.

To connect the control panel, they use the following UserAgent:

“Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.152 Safari/537.22”

The communication is carried out by an SSL. The malware modifies the internet connection configuration to ignore unknown CAs (Certificate Authorities), thereby ensuring that it will be able to use its own certificate.

First it obtains the internet connection security flags through the InternetQueryOptionA API with the third argument set to the value INTERNET_OPTION_SECURITY_FLAGS (31). Once obtained, it carries out a binary OR with the flag SECURITY_FLAG_IGNORE_UNKNOWN_CA (100h).

Conclusion: How to Confront a POS Attack

Attacks on POS terminals are still very popular, especially in countries like the United States where the use of Chip & PIN is not mandatory. Many of these attacks target businesses that do not have specialized personnel in computer science, much less in security, an oversight that attackers can take advantage of.

POS terminals are computers that handle critical data and therefore must be fortified to the maximum in order to shield customer data from the inherent risks. Solutions such as Adaptive Defense 360 help to ensure that no malicious process is executed in these terminals. There is no need to hire a security specialist, because the solution includes Panda Security’s own technicians, who will be responsible for ensuring that everything all executed processes are safe.