UDPoS

Discovered in January 2018 by Forcepoint researchers, UDPoS masquerades as updates for LogMeIn remote access software, using the initial file update.exe to deliver the additional payloads of LogmeinServicePack_5.115.22.001.exe and logmeinmon.exe.

Read More
MajikPOS

A point-of-sale (PoS) malware family targeting payment systems mainly in the U.S. and Canada since at least January 2017. The payment card dumps contain data stolen from American Express, Discover, MasterCard, Visa, Diners Club, and Maestro cards.

Read More
Cherry Picker

Cherry Picker is a Point-of-Sale (PoS) memory scraper malware first identified from Trustwave analysts in 2011, and went largely undetected for several years prior. It is typically found on systems also infected with the “searcher.dll” downloader. At the time of detection, researchers found three versions of the malware, each more improved than the previous.

Read More
FlokiBot

Floki Bot, a banking Trojan created using code from Zeus, was first discovered in 2016 and spiked in attacks during the latter half of that year. It evolved in these first few months, gaining new capabilities including anti-detection features and use of the Tor network. 

Read More
ScanPOS

In November 2016, researchers at Morphick discovered a new point-of-sale (PoS) malware variant they aptly named ScanPOS after the contents of a build string within the malware’s code. ScanPOS is distributed by Kronos, a banking Trojan that’s delivered via a phishing campaign. 

Read More
FastPOS

FastPOS, discovered in June 2016, is distributed via file sharing, direct file transfer via Virtual Network Computing (VNC), or links directing victims to a compromised website. This variant transmits stolen data to the attacker’s C2 server quickly and in real time, instead of intermittently transmitting locally stored data.

Read More
AbaddonPOS

AbaddonPOS malware was first identified by Proofpoint in October 2015, after discovering an infection that resulted from the Vawtrak Trojan. In this case, Vawtrak downloaded multiple payloads including TinyLoader and shellcode that downloaded the AbaddonPOS malware. At this time, AbaddonPOS features include anti-analysis, code obfuscation, custom protocol for exfiltrating data, locating of credit card data, and persistence.

Read More
Alina

Alina, originally written in late 2012, was not publicly disclosed until February 2013 and is believed to have been written by the Dexter PoS malware author. In October 2013, reports surfaced that the source code for Alina was being sold on underground forums for $2,000 USD. This led to Alina's code and characteristics surfacing in additional variants and families such as BackoffJackPOSSparkEagleKatrina, and most recently, Pro PoS.

Read More
Backoff

Backoff PoS malware was active from 2013 into 2014, reportedly impacting 1,000 US businesses. The hackers used brute force techniques to gain access to victims’ remote desktop servers in order to install the malware. Backoff uses its RAM scraper to harvest the payment card data and then transmits it back to the hacker over HTTP (port 80).

Read More
BlackPOS

BlackPOS was first disclosed in 2013 and is most known for its alleged role in the Target and Home Depot payment card breaches of 2013 and 2014, respectively. BlackPOS continues to circulate and infect vulnerable PoS systems. It is designed to collect data from payment cards when they are swiped at infected PoS terminals running Microsoft Windows.

Read More
CenterPOS

CenterPOS malware, also known as CenterPoint and Cerebrus, was initially discovered  by Trend Micro in September 2015 in a directory filled with other POS malware, including NewPoSThings, two Alina variants known as “Spark” and “Joker,” and BlackPOS. At the time, CenterPOS was primarily targeting small and medium-sized businesses (SMBs) in the United States.

Read More
Dexter

Dexter was first discovered in December 2012 and continues to infect machines via phishing emails or by exploiting default system access credentials. This malware infects Windows operating system servers and scrapes credit card data as it is entered on the compromised machine.

Read More
FighterPOS

FighterPOS, also known as BRFighter, was discovered by Trend Micro in April 2015 and was labeled as a “one-man PoS malware campaign.” This variant was used to steal more than 22,000 payment card numbers from Brazil, Canada, and the United States in just one month’s time. Designed and sold by a single threat actor, FighterPOS is written in Visual Basic 6 and collects both Track 1 and 2 payment card data by using a RAM scraper.

Read More
FrameworkPOS

FrameworkPOS, aka TRINITY, is PoS malware associated with a cybercrime group known as FIN6, according to an investigation conducted by FireEye. It is designed to capture payment card data from the memory of running processes and save it to a file on the system. Once FrameworkPOS identifies track data, it copies and encodes it to a local file in a subdirectory of the c:\windows\ directory while attempting to conceal these files with .dll or .chm extensions.

Read More