While threats like ransomware might have been making more headlines lately, point of sales (POS) malware is still very much active – mainly targeting retailers and hotel chains, while smaller businesses remain a prime target as they’re likely to have even less secure systems.
One of the earliest forms of this type of malware was RawPOS, which has been in operation since 2008. Despite being almost a decade old, RawPOS is still going strong and cybersecurity researchers at Cylance have discovered a new version of it which it said has remained undetected by an unnamed ‘legacy antivirus vendor’ for over a month.
All that it took for this old form of malware to become undetectable was for the developers behind it to remove some of the code. Rather than adding new features, those behind the malware removed code from the new variant, therefore enabling it to avoid the most common signatures for POS malware.
The new variant appeared in January 2017 and was identical to an older version from 2015, save from the alterations to its signature, updating the naming scheme and removing a ‘help’ text from the binary.
“This variant has roughly no new functionality. It has even removed some functionality, which is rare considering developers code to add features. The big question is, why would a malware author remove code from their newer variant? This is most likely an attempt to evade signatures, as evidenced on the code areas that changed.” says the report.
Ultimately, it means that malware distributors can code in even minimal tweaks to bypass some cybersecurity defences – because many only know how to stop known threats, built with a specific type of code.
“The level of development effort that this author had to commit to avoid this signature has been shown to be pretty low,” the report adds and warns organisations that they shouldn’t be lulled into a “false sense of security”.
Organisations should therefore do all they can to ensure that their antivirus products are very much up to date and keep an eye on any alerts.