Trend Micro researcher Anthony Joe Melgarejo says the sophisticated Angler exploit kit popular in cybercrime circles is now targeting point-of-sale (PoS) systems.
It appears to be the first time an exploit kit has included PoS in its list of hackable platforms, putting them alongside the likes of Adobe Flash, Reader, Java, and Internet Explorer as targets crims think are low-hanging fruit.
Melgarejo says Angler often establishes a network beachhead with a malvertising campaign targeting web PoS terminals and vendors including Verifone.
"[The] PoS reconnaissance trojan (Troj_Recoload.a) checks for multiple conditions in the infected system such as if it is a PoS machine or part of a PoS network," Melgarejo says.
"It then proceeds to download specific malware depending on the conditions met.
"This utilises the fileless installation capability of the Angler Exploit Kit to avoid detection."
Angler exploits two Adobe Flash vulnerabilities (CVE-2015-0336, CVE-2015-3104) before dropping trojan Recoload.A.
Melgarejo says Angler uses some anti-analysis tricks to shut down in the presence of white hats including looking for running instances of Wireshark, virtualisation, sandboxing, and known malware probe tool usernames. ®