MalumPOS

MalumPOS is a PoS malware family first reported by Trend Micro in 2015. It specifically targets the Oracle MICROS Systems platform which is used by 330,000 customers in 180 countries. MalumPOS is installed as a service using command-line arguments and disguises itself as the "NVIDIA Display Driver" (often stylized as NVIDIA Display Driv3r) to avoid discovery. It monitors all running processes on the infected system and can target up to 100 processes for RAM scraping. After it finds the targeted Track 1 and Track 2 payment card data, MalumPOS extracts, encrypts, and saves the data in the following file path: C:\\Windows\system32\nvsvc.dll. It also attempts to avoid detection by modifying file time stamps and using dynamically loaded application program interfaces (APIs) to evade malware analysis tools.

Reporting

  • June 2015: Trend Micro released a report on MalumPOS, a new PoS malware family targeting systems running the Oracle MICROS platform, Oracle Forms, Shift4 systems, and those accessed through Internet Explorer. (TrendLabs Security Intelligence Blog)

Technical Details

  • Trend Micro provides more information on MalumPOS, including IOCs, in their technical brief here.

One example of MalumPOS in disguise. Image Source: Trend Micro