The Los Angeles based Cyber Theat Intelligence firm IntelCrawler has identified a new type of Point-of-Sale malware called d4re|dev1| - hacker language for daredevil. This new breed of malware is hitting largely the Mass Transit systems such as Ticket Vending Machines and Electronic Kiosks. The features of this malware are very interesting and can be taken as a complete package. It basically acts as an advanced backdoor with Remote administration, having keylogging and RAM Scrapping features.

IntelCrawler suspects that latest PoS malware are being developed by the underground cyber criminals just because of the fact that they get high ROI when they attack payloads like a Target or Home Depot.

The malware is said to have a "File Upload" feature, which can be used for remote payload updating. The Legitimate names of software such as Google Chrome was even used for hiding the process of malware. Others include "PGTerm.exe" or "hkcmd.exe". To escape the infrastructure limitations and security policies designed for detection of the malware, the adversaries use this file upload feature for installing additional backdoors and tools.

"This broad lateral approach shows that serious cybercriminals are not interested in just one particular Point-of-Sale terminal they are looking for enterprise wide network environments, having tens of connected devices accepting payments and returning larger sets of spoils to their C2 servers", the blog post reads.

In an investigation conducted by IntelCrawler, it was determined that some operators of Point-of-Sale terminals have violated their own internal security policies and have used their terminal for gaming and WEB-surfing, checking e-mail from it, sending messages, and viewing social networks. This happens mainly because of weak passwords and logins, many of which were discovered in large 3rd party credential exposures.

According to the latest investigations, it is found that various organized crime groups are distributing malicious code and compromising networking environments of merchants and credit card devices, including ticket vending machines and electronic kiosks installed in public places and mass transport systems. The firm reportedly found a compromised device in Sardania in August 2014, that attackers take into control through VNC.

Below are the images showing the Remote Access Interface to the compromised device, using VNC (Virtual Network Computing):

The firm believes that cyber criminals would be favorably targeting these kind of devices in near future.