New POS Malware Raises Question: Why Would A POS System Talk To Tor?

New point of sale (POS) malware is emerging: LusyPOS. ComputerWorld reports it is being sold in underground markets for only $2,000.

The malware was discovered on VirusTotal, a website that accepts submissions of malware samples to find if it is detectable by security applications. The malware, which was uploaded on Nov. 30 to VirusTotal, was only detected by seven of the several dozen applications.

In an article for Security Week, Eduard Kovacs explains, “The malware uses a technique known as RAM scraping to collect credit and debit card information from infected systems. In order to validate the data, LusyPOS relies on an implementation of the Luhn algorithm.”

A blog post from reverse engineers Nick Hoffman and Jeremy Humble, states LusyPOS shares characteristics with both Dexter and Chewbacca.

The Security Week article quotes Jeremy Scott, senior research analyst with Solutionary, who adds the new malware uses the Tor network for command and control (C2) communication: “When it comes to PCI compliance, this type of network communication should never be allowed. Organizations should be on the lookout for attempts to contact suspicious domain names with a .onion TLD and block them immediately.”

Hoffman and Humble ask, “When looking into malware families like Chewbacca and now LusyPOS, one thought comes to mind. Why would a POS machine be allowed to talk to Tor? Most PCI audits will attempt to lock this sort of activity down, but there seems to be devils in the implementation that allow malware like this to be successful.”

They comment, “This is just a scratch in the surface of a new malware family. We’ll be curious to watch it evolve over the next couple years and track its progress.”