Experts at Intelligence firm IntelCrawler have detected a new botnet dubbed Nemanja composed by compromised POS terminals, accounting systems and grocery management platforms.

On March 2014 experts at IntelCrawler have identified Nemanja, one of the biggest botnets based on compromised POS terminals, accounting systems and grocery management platforms.

Cyber-threat intelligence company IntelCrawler is one of the companies most active in the investigation of electronic crimes related to the Point-of-Sale (POS), it was within the principal teams involved in the investigation on the analysis of POS malware like blackPOS and Dexter.

IntelCrawler has unique experience in investigations of Point-of-Sales related e-Crimes and aggregates various information about the distribution of malware targeted at RAM Scrapping, such as Alina, BlackPOS, Dexter, JackPOS, VSkimmer and its modifications. “

The team of experts at InterCrawler has a long story of collaboration with threat intelligence and fraud detection teams of major financial institutions worldwide.

The experts are investigating on numerous crimes made against retailers and small business infrastructures, “having significant impact on all parties involved in credit card acceptance.”

n1

The name Nemanja is related to the alleged group having similar nicknames from Serbia, the malicious network is composed by than 1478 infected hosts distributed between Argentina, Australia, Austria, Bangladesh, Belgium, Brazil, Canada, Chile, China, Czech Republic, Denmark, Estonia, France, Germany, Hong Kong, India, Indonesia, Israel, Italy, Japan, Mexico, Netherlands, New Zealand, Poland, Portugal, Russian Federation, South Africa, Spain, Switzerland, Taiwan, Turkey, UK, USA, Uruguay, Venezuela and Zambia.

“The analyzed botnet has affected various small businesses and grocery stores in different parts of the world, making the problem of retailers’ insecurity more visible after past breaches. Past incidents showed high attention from modern cybercriminality to retailers and small business segments having Point-of-Sale terminals.” explained Intercrowler in a blog post.

The experts predict a significant increase for the number of data breaches in the impacted industries in the next future, it is likely that new families of malware will be developed with the specific goal to hit retailers’ backoffice systems and cash registers.

“The nature of POS-related crimes can be different from country to country, but it shows the insecurity of modern payment environments. The bad actors combine several attack vectors in order to infect operators’ stations – “drive-by-download” and remote administration channels hacking.” added Intercrawler to explain the different evolution of criminal phenomena related to different countries. 

Modern POS malware will be integrated in RAT/Trojans and other malware in a sort of optional module like keylogger and network sniffing component.

Why Nemanja is so interesting?

The Nemanja botnet is alarming the experts because is an example of malware which includes POS malware and Keylogging capabilities used by criminals to intercept credentials of various backoffice systems and databases to steal payment or personal identifiable data.

Intercrawler has provided a list of examples of compromised systems composing the Nemanja botnet:

  • BEpoz Point of Sale System
  • Caisse PDV
  • CSI POS Ver 1.5
  • CxPOS V8.1 – Cybex Systems POS
  • FuturePOS
  • Figure Gemini POS
  • Gestão Comercial + POS VISION
  • GOLDSOFT 2000 Accounting System
  • GESTPOS 2000
  • IGManager
  • Integrated POS Software Solutions – H&L Australia
  • LinxPOS
  • NCR WinEpts Software Solution
  • QuickBooks Pro Accounting Software
  • RSAPOS – Retail Systems
  • RETAIL for Microsoft Windows v.2006.1211.0.46
  • RetailIQ POS
  • Restaurant Manager
  • Sage Retail 2013.03
  • SICOM Systems Restaurant Management Console
  • Suburban Software System
  • Visual Business Retail – Electronic Point Of Sale
  • WAND POS17
  • WinREST FrontOffice
  • WinSen Electronic Manager

The data related to Nemanja were already added by IntelCrawler to its “PoS Malware Infection Map” (PMIM), the company is providing as security feed for card associations, payment providers and various vetted parties, various information on the cyber threats including compromised merchants, IP addresses of infected terminals and additional information for fraud prevention.

n2

Compromised Point-of-Sale Terminals Feed comprises a list of compromised payment terminals and network hosts installed in various small businesses and retailers.”  “Some part of this data is illustrated on PMIM with details on approximate number of compromised credit cards, geographies and IP addresses of identified infected network hosts.” states Intercrawler.

Let’s wait for further news on Nemanja botnet and other POS malware … stay tuned!

Pierluigi Paganini

(Editor-In-Chief, CDM)

rsa-logo