A point-of-sale (PoS) malware family targeting payment systems mainly in the U.S. and Canada since at least January 2017. The payment card dumps contain data stolen from American Express, Discover, MasterCard, Visa, Diners Club, and Maestro cards.
Cherry Picker is a Point-of-Sale (PoS) memory scraper malware first identified from Trustwave analysts in 2011, and went largely undetected for several years prior. It is typically found on systems also infected with the “searcher.dll” downloader. At the time of detection, researchers found three versions of the malware, each more improved than the previous.
Floki Bot, a banking Trojan created using code from Zeus, was first discovered in 2016 and spiked in attacks during the latter half of that year. It evolved in these first few months, gaining new capabilities including anti-detection features and use of the Tor network.
FastPOS, discovered in June 2016, is distributed via file sharing, direct file transfer via Virtual Network Computing (VNC), or links directing victims to a compromised website. This variant transmits stolen data to the attacker’s C2 server quickly and in real time, instead of intermittently transmitting locally stored data.
PoSeidon PoS malware, first identified by researchers in 2015, scrapes memory on PoS systems to steal credit and debit card data.
AbaddonPOS malware was first identified by Proofpoint in October 2015, after discovering an infection that resulted from the Vawtrak Trojan. In this case, Vawtrak downloaded multiple payloads including TinyLoader and shellcode that downloaded the AbaddonPOS malware. At this time, AbaddonPOS features include anti-analysis, code obfuscation, custom protocol for exfiltrating data, locating of credit card data, and persistence.
Alina, originally written in late 2012, was not publicly disclosed until February 2013 and is believed to have been written by the Dexter PoS malware author. In October 2013, reports surfaced that the source code for Alina was being sold on underground forums for $2,000 USD. This led to Alina's code and characteristics surfacing in additional variants and families such as Backoff, JackPOS, Spark, Eagle, Katrina, and most recently, Pro PoS.
Backoff PoS malware was active from 2013 into 2014, reportedly impacting 1,000 US businesses. The hackers used brute force techniques to gain access to victims’ remote desktop servers in order to install the malware. Backoff uses its RAM scraper to harvest the payment card data and then transmits it back to the hacker over HTTP (port 80).
BlackPOS was first disclosed in 2013 and is most known for its alleged role in the Target and Home Depot payment card breaches of 2013 and 2014, respectively. BlackPOS continues to circulate and infect vulnerable PoS systems. It is designed to collect data from payment cards when they are swiped at infected PoS terminals running Microsoft Windows.
CenterPOS malware, also known as CenterPoint and Cerebrus, was initially discovered by Trend Micro in September 2015 in a directory filled with other POS malware, including NewPoSThings, two Alina variants known as “Spark” and “Joker,” and BlackPOS. At the time, CenterPOS was primarily targeting small and medium-sized businesses (SMBs) in the United States.
Dexter was first discovered in December 2012 and continues to infect machines via phishing emails or by exploiting default system access credentials. This malware infects Windows operating system servers and scrapes credit card data as it is entered on the compromised machine.
FighterPOS, also known as BRFighter, was discovered by Trend Micro in April 2015 and was labeled as a “one-man PoS malware campaign.” This variant was used to steal more than 22,000 payment card numbers from Brazil, Canada, and the United States in just one month’s time. Designed and sold by a single threat actor, FighterPOS is written in Visual Basic 6 and collects both Track 1 and 2 payment card data by using a RAM scraper.
FrameworkPOS, aka TRINITY, is PoS malware associated with a cybercrime group known as FIN6, according to an investigation conducted by FireEye. It is designed to capture payment card data from the memory of running processes and save it to a file on the system. Once FrameworkPOS identifies track data, it copies and encodes it to a local file in a subdirectory of the c:\windows\ directory while attempting to conceal these files with .dll or .chm extensions.
MalumPOS is a PoS malware family first reported by Trend Micro in 2015. It specifically targets the Oracle MICROS Systems platform which is used by 330,000 customers in 180 countries. MalumPOS is installed as a service using command-line arguments and disguises itself as the "NVIDIA Display Driver" (often stylized as NVIDIA Display Driv3r) to avoid discovery.
NewPosThings was uncovered by Arbor Networks in September 2014, and has targeted both 32-bit and 64-bit Windows systems. It has RAM scraper capabilities along with key logging routines, virtual network computing (VNC) password dumping, and information gathering. This PoS malware can also disable security warnings on systems and use custom packers with added debugging methods.
Punkey was discovered and disclosed by Trustwave in April 2015 during a U.S. Secret Service investigation. Its name is a play on the 1980s children's TV show "Punky Brewster" and is believed to have evolved from the NewPosThings malware family. Punkey works by injecting itself into the Windows OS Explorer process, creating registry start-up entries to maintain persistence, and using a RAM scraper to look for plaintext payment card information.
Multigrain is a variant of NewPosThings, first reported by FireEye in April 2016. According to FireEye's report, Multigrain consists largely of a subset of slightly modified code from NewPosThings. The variant is highly targeted, digitally signed, and exfiltrates stolen payment card data over DNS. The addition of DNS-based exfiltration is new for this malware family; however, other POS malware families such as BernhardPOS and FrameworkPOS have used this technique in the past.
TreasureHunt is PoS malware that appears to have been custom-built for the operations of a particular blackmarket website where payment card numbers are posted and sold, known as “dump shop," according to reported from FireEye in March. TreasureHunt enumerates running processes, extracts payment card information from memory, and then transmits this information to a C2 server.