One of the oldest forms of POS malware has been tweaked to avoid detection

Instead of adding features to stay ahead of targets, some cybercriminals are removing functionality in order to dupe AV software.
Written by Danny Palmer, Senior Writer

POS terminals remain an attractive target for hackers.

Image: iStock

While threats like ransomware have been making headlines lately, point of sales (POS) malware is less reported but still active. It mainly targets retailers and hotel chains, as well as smaller businesses which often have less secure systems.

One of the earliest forms of this type of malware was RawPOS, which has been in operation since 2008. Despite being almost a decade old, RawPOS is still going strong. Cybersecurity researchers at Cylance have recently discovered a new version of it which it said has remained undetected by an unnamed 'legacy antivirus vendor' for over a month.

SEE: My stolen credit card details were used 4,500 miles away. I tried to find out how it happened (cover story PDF) (TechRepublic)

All that it took for this old form of malware to become undetectable was for the developers behind it to remove some of the code. Rather than adding new features, those behind the malware removed code from the new variant, therefore enabling it to avoid the most common signatures for POS malware.

The new variant appeared in January 2017 and was identical to an older version from 2015, save for the alterations to its signature, updating the naming scheme and removing a 'help' text from the binary.

"This variant has roughly no new functionality. It has even removed some functionality, which is rare considering developers code to add features. The big question is, why would a malware author remove code from their newer variant? This is most likely an attempt to evade signatures, as evidenced on the code areas that changed." says the report.

Ultimately, it means that malware distributors can code in even minimal tweaks to bypass some cybersecurity defences -- because many only know how to stop known threats, built with a specific type of code.

"The level of development effort that this author had to commit to avoid this signature has been shown to be pretty low," the report adds. It warns organisations that they shouldn't be lulled into a "false sense of security".

Organisations should therefore do all they can to ensure that their antivirus products are very much up-to-date and keep an eye on any alerts.

Read more on cybercrime

Editorial standards