Security researchers have found that an attack aiming to infect PoS systems was found using the Angler Exploit Kit to push a PoS reconnaissance Trojan, This Trojan, detected as TROJ_RECOLOAD.A, checks for multiple conditions in the infected system like if it is a PoS machine or part of a PoS network. It then proceeds to download specific malware depending on the conditions met. It has also been found that the malware utilizes the fileless installation capability of the Angler Exploit Kit to avoid detection. The Angler Exploit Kit often uses malvertisements and compromised sites as the starting point for infection. For this specific incident, we found that the infection chain takes advantage of two Adobe Flash vulnerabilities (CVE-2015-0336 and CVE-2015-3104). After exploiting either vulnerabilities, the Trojan, detected as TROJ_RECOLOAD.A, finds its way to the system.
The information provided herein is on "as is" basis, without warranty of any kind.
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street