A new botnet, codenamed BrutPOS, has been uncovered targeting point of sale (POS) systems with advanced bank card stealing attacks.
The BrutPOS botnet was discovered by researchers at FireEye and has already enslaved 5,622 machines, though only 179 are currently being used by the hackers.
FireEye researchers Nart Villeneuve, Josh Homan and Kyle Wilhoit said the campaign aims to steal financial information from the POS systems by targeting Microsoft Remote Desktop Protocol (RDP) servers with poor passwords, in a blog post.
“[The botnet] uses thousands of compromised computers to scan specified IP address ranges for Remote Desktop Protocol (RDP) servers that have weak or default passwords in an effort to locate vulnerable point of sale (POS) systems,” read the blog post.
The researchers said current evidence suggests the campaign has be running for around two weeks and has already infiltrated at least 57 POS systems.
It is currently unclear how the criminal group is spreading the malware, though FireEye has uncovered evidence it is leveraging support from the wider cyber crime community.
“It is unclear exactly how the BrutPOS malware is being propagated. We have found that the malware is being distributed along with a considerable amount of otherwise unrelated malware by the site destre45[.]com. The attackers may have used a distribution service provided by other cyber criminals,” read the post.
The FireEye researchers noted the campaign is particularly dangerous as botnets owners’ management systems grant them a variety of intelligence and attack capabilities.
“The attackers are able to control the botnet from a web-based administration panel. This panel provides a statistical overview of the botnet,” read the post.
“The attackers are able to view the details of the infected systems under their control including the IP address and geographic location as well as status of the infected systems’ brute forcing activities (bad / good / errors / threads / version) and the timestamp of the last connection to the C2. The attackers may also specify commands such as reload and delete.”
FireEye reported it is still too early to attribute the attack, but said it is likely being carried out by an Eastern European group.
Botnets are an ongoing problem facing businesses of all sizes. Law enforcement across the globe mounted a coordinated operation against the GameOver Zeus botnet in June, in an effort to combat the problem.