RtPOS Malware

45f6ca06-eec3-4ffc-9a71-7659da5cd9f7

 

Researchers say RtPOS contains only a limited set of functions. For example, the malware’s binary accepts only two arguments —install and remove— and nothing else.

The malware is also a classic RAM scrapper only, without any extra bells and whistles. This is in contrast with many recent POS malware strains that try to port and include functions from infostealers and remote access trojans, providing crooks with an all-in-one threat for data hunting and collection.

In comparison, RtPOS has one primary function, and that’s to watch a PC’s RAM for card-number-looking text patterns and save these numbers to a local DAT file. It doesn’t look for SSNs, passwords, or driver’s license data, or anything else.

But this is not the most glaring characteristic that stood out about RtPOS. The malware, they say, has no networking features, meaning it does not contact remote servers for additional commands or to exfiltrate stolen data.

All collected payment card data is stored inside the local DAT file and left there.

Source: BleepingComputer

How do you protect yourself?

Proper security measures must be in place to defend against RtPOS malware and similar threats. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from cryptomining malware.

 

 

CVE-2018-12829

Threat Meter

 

Adobe has released a security update for the Creative Cloud Desktop Application for Windows and macOS. This update resolves an important vulnerability that could lead to privilege escalation. Affected versions of Creative Cloud Desktop Application are 4.6.0 and earlier.

Source: Adobe

How do you protect yourself?

Download the latest Creative Cloud Desktop App ( version 4.6.1 ) to fix this vulnerability.

 

CEIDPageLock Rootkit

Threat Meter

 

The RIG exploit kit, which at its peak infected an average of 27,000 machines per day, has been grafted with a new tool designed to hijack browsing sessions. The malware in question, a rootkit called CEIDPageLock, has been distributed through the exploit kit in recent weeks.

CEIDPageLock was detected when it attempted to tamper with a victim’s browser. The malware was attempting to turn their homepage into 2345.com, a legitimate Chinese directory for weather forecasts, TV listings, and more. The researchers say that CEIDPageLock is sophisticated for a browser hijacker and now a bolt-on for RIG has received “noticeable” improvements.

Among the new additions is functionality which permits user browsing activities to be monitored, alongside the power to change a number of websites with fake home pages.

The malware targets Microsoft Windows systems. The dropper extracts a 32-bit kernel-mode driver which is saved in the Windows temporary directory with the name “houzi.sys.” While signed, the certificate has now been revoked by the issuer.

When the driver executes, hidden amongst standard drivers during setup, the dropper then sends the victim PC’s mac address and user ID to a malicious domain controlled by a command-and-control (C&C) server. This information is then used when a victim begins browsing in order to download the desired malicious homepage configuration.

Source: ZDNet

How do you protect yourself?

Proper security measures must be in place to defend against CEIDPageLock Rootkit and similar threats. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from malware.