Retailers targeted by new point-of-sale malware through job requests

The NitlovePOS malware spreads through phishing campaigns and extracts both track one and two payment card data.


Researchers have discovered a new point-of-sale malware variant which targets machines through indiscriminate spam campaigns.

According to FireEye's security team, the NitlovePOS malware is the latest malicious software used to target the lucrative retail market. Point-of-sale (POS) malware is written and tailored to steal customer payment data -- especially credit card data -- from checkout systems used in retail stores, and often finds its way onto vulnerable systems through malicious email campaigns.

NitlovePOS is one such malware, and has been recorded by researchers through indiscriminate spam campaigns which instruct victims to download malicious payloads containing the threat. First discovered on May 20, 2015, the spam campaign uses spoofed Yahoo! mail accounts and contains subject lines related to job opportunity inquiries, internship questions, job postings and resumes.

If you receive an email related to such topics, you would often expect a CV to be attached -- especially if you run a small retail business -- and the threat actors capitalize on this.

Spam campaign .doc attachments, often named CV_(4 numbers).doc or My_Resume_[4 numbers].doc, are embedded with a malicious macro. Once downloaded, victims find the document is "protected," tricking them to enable the macro.


If enabled, the attachment downloads and executes a malicious executable dubbed dro.exe, which the threat actors are constantly updating. This payload is then given instructions to download a host of new malware, including NitlovePOS.

"We speculate that once the attackers have identified a potentially interesting host form among their victims, they can then instruct the victim to download the POS malware. While we have observed many downloads of the various EXE's hosted on that server, we have only observed three downloads of "pos.exe"," the researchers say.

The malware adds itself to the Run Registry key on Windows machines, and as explained by FireEye:

"NitlovePOS expects to be run with the "-" sign as argument; otherwise it won't perform any malicious actions. This technique can help bypass some methods of detection, particularly those that leverage automation.

If the right argument is provided, NitlovePOS will decode itself in memory and start searching for payment card data. If it is not successful, NitlovePOS will sleep for five minutes and restart the searching effort."

The malware can scan, capture and send both track one and track two payment card data to a waiting command-and-control (C&C) center. Track one contains a cardholder's name and account number, while track two, most commonly used, stores information relating to the card holder's account, encrypted PIN and other data. NitlovePOS is able to scan the running processes of a compromised machine, which then takes this data and sends to a webserver via SSL channels.

It is believed the malware originates from an address located in St. Petersburg, Russia.

A number of new POS malware strains have been detected over 2015, including a new Alina variant, LogPOS and Punkey. Last Year, the US Department of Homeland Security issued an advisory warning businesses to stay on their guard against Backoff, a virulent POS malware strain which goes largely undetected by antivirus software.