AbaddonPOS

AbaddonPOS malware was first identified by Proofpoint in October 2015, after discovering an infection that resulted from the Vawtrak Trojan. In this case, Vawtrak downloaded multiple payloads including TinyLoader and shellcode that downloaded the AbaddonPOS malware. At this time, AbaddonPOS features include anti-analysis, code obfuscation, custom protocol for exfiltrating data, locating of credit card data, and persistence.

Alina

Alina, originally written in late 2012, was not publicly disclosed until February 2013 and is believed to have been written by the Dexter PoS malware author. In October 2013, reports surfaced that the source code for Alina was being sold on underground forums for $2,000 USD. This led to Alina's code and characteristics surfacing in additional variants and families such as BackoffJackPOSSparkEagleKatrina, and most recently, Pro PoS.

Backoff

Backoff PoS malware was active from 2013 into 2014, reportedly impacting 1,000 US businesses. The hackers used brute force techniques to gain access to victims’ remote desktop servers in order to install the malware. Backoff uses its RAM scraper to harvest the payment card data and then transmits it back to the hacker over HTTP (port 80).

FighterPOS

FighterPOS, also known as BRFighter, was discovered by Trend Micro in April 2015 and was labeled as a “one-man PoS malware campaign.” This variant was used to steal more than 22,000 payment card numbers from Brazil, Canada, and the United States in just one month’s time. Designed and sold by a single threat actor, FighterPOS is written in Visual Basic 6 and collects both Track 1 and 2 payment card data by using a RAM scraper.

FrameworkPOS

FrameworkPOS, aka TRINITY, is PoS malware associated with a cybercrime group known as FIN6, according to an investigation conducted by FireEye. It is designed to capture payment card data from the memory of running processes and save it to a file on the system. Once FrameworkPOS identifies track data, it copies and encodes it to a local file in a subdirectory of the c:\windows\ directory while attempting to conceal these files with .dll or .chm extensions.

MalumPOS

MalumPOS is a PoS malware family first reported by Trend Micro in 2015. It specifically targets the Oracle MICROS Systems platform which is used by 330,000 customers in 180 countries. MalumPOS is installed as a service using command-line arguments and disguises itself as the "NVIDIA Display Driver" (often stylized as NVIDIA Display Driv3r) to avoid discovery.

Punkey

Punkey was discovered and disclosed by Trustwave in April 2015 during a U.S. Secret Service investigation. Its name is a play on the 1980s children's TV show "Punky Brewster" and is believed to have evolved from the NewPosThings malware family. Punkey works by injecting itself into the Windows OS Explorer process, creating registry start-up entries to maintain persistence, and using a RAM scraper to look for plaintext payment card information.

Multigrain

Multigrain is a variant of NewPosThings, first reported by FireEye in April 2016. According to FireEye's report, Multigrain consists largely of a subset of slightly modified code from NewPosThings. The variant is highly targeted, digitally signed, and exfiltrates stolen payment card data over DNS. The addition of DNS-based exfiltration is new for this malware family; however, other POS malware families such as BernhardPOS and FrameworkPOS have used this technique in the past.