CenterPOS Malware

CenterPOS (also known as "Cerebrus") is a point of sale (POS) malware discovered Cyber Security Experts. It was discovered in September 2015 along with other kinds of POS malware, such as NewPOSThings, BlackPOS, and Alina. There are two versions which have been released by the developer responsible: version 1.7 and version 2.0. CenterPOS 2.0 has similar functionality to CenterPOS version 1.7. The 2.0 variant of CenterPOS malware added some more effective features, such as the addition of a configuration file for storing information in its command and control server.

Overview
CenterPOS has been used to target retailers in order to illegally obtain payment card information using a memory scraper. It uses two distinct modes to scrape and store information: a "smart scan" and a "normal scan". At the normal scan mode, the malware looks at all of the processes on a device and determines which ones are not currently running processes, are not named "system", "system idle process" or "idle", and do not contain keywords such as Microsoft or Mozilla. If the process meets the criteria list, the malware will search all memory regions within the process, searching for credit card data with regular expressions in the regular expression list. In smart scan mode, the malware starts by performing a normal scan, and any process that has a regular expression match will be added to the smart scan list. After the first pass, the malware will only search the processes that are in the smart scan list. The malware contains functionality that allows cybercriminals to create a configuration file.

Process Details
CenterPOS malware searches for the configuration file that contains the C&C information. If unable to find the configuration file, it asks for a password. If the password entered is correct, then it payloads the functions to create a configuration file. This malware is very different from other point of sale system malware in that it has a separate component called builder to create a payload.

The CenterPOS malware looks for the credit and debit card information through smart scan mode and then encrypts all the scraped data using Triple DES encryption. Then the memory scraped data is sent to the operator of the malware through a separate HTTP POST request.