Cherry Picker

Cherry Picker

Cherry Picker is a Point-of-Sale (PoS) memory scraper malware first identified from Trustwave analysts in 2011, and went largely undetected for several years prior. It is typically found on systems also infected with the “searcher.dll” downloader. At the time of detection, researchers found three versions of the malware, each more improved than the previous.


AbaddonPOS malware was first identified by Proofpoint in October 2015, after discovering an infection that resulted from the Vawtrak Trojan. In this case, Vawtrak downloaded multiple payloads including TinyLoader and shellcode that downloaded the AbaddonPOS malware. At this time, AbaddonPOS features include anti-analysis, code obfuscation, custom protocol for exfiltrating data, locating of credit card data, and persistence.


Alina, originally written in late 2012, was not publicly disclosed until February 2013 and is believed to have been written by the Dexter PoS malware author. In October 2013, reports surfaced that the source code for Alina was being sold on underground forums for $2,000 USD. This led to Alina's code and characteristics surfacing in additional variants and families such as BackoffJackPOSSparkEagleKatrina, and most recently, Pro PoS.


CenterPOS malware, also known as CenterPoint and Cerebrus, was initially discovered  by Trend Micro in September 2015 in a directory filled with other POS malware, including NewPoSThings, two Alina variants known as “Spark” and “Joker,” and BlackPOS. At the time, CenterPOS was primarily targeting small and medium-sized businesses (SMBs) in the United States.


FighterPOS, also known as BRFighter, was discovered by Trend Micro in April 2015 and was labeled as a “one-man PoS malware campaign.” This variant was used to steal more than 22,000 payment card numbers from Brazil, Canada, and the United States in just one month’s time. Designed and sold by a single threat actor, FighterPOS is written in Visual Basic 6 and collects both Track 1 and 2 payment card data by using a RAM scraper.


FrameworkPOS, aka TRINITY, is PoS malware associated with a cybercrime group known as FIN6, according to an investigation conducted by FireEye. It is designed to capture payment card data from the memory of running processes and save it to a file on the system. Once FrameworkPOS identifies track data, it copies and encodes it to a local file in a subdirectory of the c:\windows\ directory while attempting to conceal these files with .dll or .chm extensions.


NewPosThings was uncovered by Arbor Networks in September 2014, and has targeted both 32-bit and 64-bit Windows systems. It has RAM scraper capabilities along with key logging routines, virtual network computing (VNC) password dumping, and information gathering. This PoS malware can also disable security warnings on systems and use custom packers with added debugging methods.


Punkey was discovered and disclosed by Trustwave in April 2015 during a U.S. Secret Service investigation. Its name is a play on the 1980s children's TV show "Punky Brewster" and is believed to have evolved from the NewPosThings malware family. Punkey works by injecting itself into the Windows OS Explorer process, creating registry start-up entries to maintain persistence, and using a RAM scraper to look for plaintext payment card information.


Multigrain is a variant of NewPosThings, first reported by FireEye in April 2016. According to FireEye's report, Multigrain consists largely of a subset of slightly modified code from NewPosThings. The variant is highly targeted, digitally signed, and exfiltrates stolen payment card data over DNS. The addition of DNS-based exfiltration is new for this malware family; however, other POS malware families such as BernhardPOS and FrameworkPOS have used this technique in the past.


TreasureHunt is PoS malware that appears to have been custom-built for the operations of a particular blackmarket website where payment card numbers are posted and sold, known as “dump shop," according to reported from FireEye in March. TreasureHunt enumerates running processes, extracts payment card information from memory, and then transmits this information to a C2 server.