New Neutrino variant targets POS terminals worldwide

Neutrino modification steals credit card information from point-of-sale terminals

Neutrino strikes to POS terminals

On the most infamous Trojans in the world, known as Zeus[1], has a new variant that targets point-of-sale terminals. The new malware is dubbed Neutrino, although some security experts might call it Neutrino POS.

According to a report by Kaspersky[2], the new virus is programmed to collect credit card information from compromised point-of-sale (POS) terminals.

Reverse engineer/malware analyst Sergey Yunakovsky shared his insights, stating that the freshly discovered malware doesn’t start its activities instantly – it firstly waits. According to the researcher, such technique was probably chosen to deceive AV sandboxes.

The code of the virus includes a delay function, which is set to generate a random number and delay the start of the program for a particular period.

The Trojan carries an encoded list of Command & Control[3] addresses in its body. It decodes them and extracts them. Consequently, it attempts to identify an available C&C server.

The Command & Control server provides the following commands to the malicious program:

  1. Download and launch the malicious file;
  2. Create screenshots;
  3. Find particular processes by their names;
  4. Modify registry branches;
  5. Find specific files on infected device and send it to Command & Control server;
  6. Use proxy.

The analysis shows that commands are transmitted in a plain view encoded in base64. On top of that, it seems that the current version of the malware isn’t intended to launch DDOS attacks[4].

Stealing credit card information in a silent way

Neutrino POS Trojan uses a certain algorithm to steal private credit card information. It starts to work through a currently running Process32NextW process. Then it uses ReadProcessMemory to access information stored in the process’ memory pages. Finally, the malware checks the memory for “Track1.” This string marks the beginning track of the magnetic card.

The virus analyzes all the fields and symbol sequences using Luhn algorithm. Finally, it steals card holder’s full name, CVC32, expiration date, CVV and transmits data to its server under “Track1” mark. Then the Trojan extracts PAN and the rest of sensitive data and sends it to the C&C server under “Track2” mark.

Distribution of Neutrino POS

Statistics show that the described Trojan mostly affected Russia[5] and Kazakhstan countries. The Trojan also compromised quite a lot of devices in Ukraine and Mexico.

Other countries that fell victim to the attack are USA, China, Iran, Turkmenistan, Uzbekistan, France, Germany, Poland, and others.

According to Kaspersky, 10% of the compromised computers belong to small business corporate clients.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions