Freely subscribe to our NEWSLETTER

Inside Recent Point-of-Sale Malware Campaign Activities
Curt Wilson, Dave Loftus, Matt Bing

It appears that there are at least three distinct versions of Dexter:

1. Stardust (looks to be an older version, perhaps version 1)

2. Millenium (note spelling)

3. Revelation (two observed malware samples; has the capability to use FTP to exfiltrate data)

In early November 2013, ASERT researchers discovered two servers hosting Dexter and other POS malware to include Project Hook. The Dexter campaign looks more active, especially in the Eastern Hemisphere and therefore shall be the main focus herein. Dexter, first documented by Seculert in December 2012, is a Windows-based malware used to steal credit card data from PoS systems. The exact method of compromise is not currently known, however PoS systems suffer from the same security challenges that any other Windows-based deployment does. Network and host-based vulnerabilities (such as default or weak credentials accessible over Remote Desktop and open wireless networks that include a PoS machine), misuse, social engineering and physical access are likely candidates for infection. Additionally, potential brittleness and obvious criticality of PoS systems may be a factor in the reportedly slow patch deployment process on PoS machines, which increases risk. Smaller businesses are likely an easier target due to reduced security. While the attackers may receive less card data from smaller retailers, infections may be more numerous and last longer due to the lack of security reporting and security staff in such environments.

Figure 1: Dexter (Purple) and Project Hook (Orange) infections in the Eastern Hemisphere

Figure 2: Dexter (Purple) and Project Hook (Orange) infections in the western hemisphere

For the full document to include a list of various compromise indicators and information about the back-end infrastructure, please download the full public report -