Cybersecurity Insight

Emerging Cyber Threat – Cherry Picker POS Malware

3 Dec

Every holiday season, retailers become prime targets for point of sale (POS) and endpoint-based attacks due to the much higher volume of in-person and online transactions that take place. Attackers know that the high volume of transactions and need to minimize downtime leaves most IT teams in retail little time to detect unusual behavior.

Security researchers are seeing increasingly sophisticated tools used by attackers to steal cardholder data as it traverses the memory of the POS system. One such tool (or family of tools) is named “Cherry Picker” and refers to its targeted method involving scraping the memory of very specific processes that contain credit card numbers and other payment information. This conservative approach minimizes exposure and lessens the chance of behavioral based detection. Current versions are multi-threaded as well, harvesting cardholder data and exfiltrating it via FTP in tandem, significantly reducing the time it takes for the actual theft to occur.

Other evasive techniques leveraged by Cherry Picker include encryption of stolen data when transmitting to an external source, a timeout parameter to specify exactly when and how often the malware runs, and an effective file infection mechanism to ensure persistence. Recent versions have even included a cleanup function that goes to great lengths to hide the malware’s tracks and thwart any forensic research done following a breach.

Impact on You

  • When your business depends on the ability to take payment for the goods or services you offer, a breach of those payment systems could cause a temporary shutdown.
  • The longer you are down, the greater loss you’ll incur, especially when the holidays are your peak season.
  • Known breaches can also have a significant negative impact on your business’s reputation, especially when the malware could have been picked up by IDS or other detection methods.

How Neovera Can Help

Our team continues to develop and contribute actionable and effective threat intelligence that can identify malware infections involving Cherry Picker and other variants. The team has already produced IDS signatures and correlation directives to identify these threats that are available now in the latest threat Intelligence update including:

– System Compromise, Trojan infection, CherryPicker POS