RawPOS is believed to have existed since 2008 and its infection method is currently unknown. Upon infecting a PoS system, RawPOS installs the following:

  • WinMgmt.exe (Windows management service)
  • dnsmgr.exe (payment card track data parser)
  • csrvc.exe (memory dump tool)
  • MemPDumper.exe (memory dump tool)

It then runs two files, compenum.exe and shareanum.exe, used to map network shares and list other PoS systems on the network. RawPOS then proceeds to install memory dumper and data aggregator components on the newly discovered systems. It centralizes the stolen data, determines if further access to the host is required, and then exfiltrates the payment card data. Some investigations have revealed that payment card data scraped by RawPOS had been moved to a non-PoS system prior to exfiltration to avoid detection. Additional files associated with RawPOS include: mmc.exe, vsssvc.exe, visaudp.exe, psex.exe, sdelete.exe, se.exe, framepkg.exe, and spoolsv.chm.

Victims of RawPOS campaigns include casinos, resorts, hotels, and retailers.

Reporting and Technical Details

  • March 2015: "RawPOS" Malware Targeting Lodging Merchants (Visa)
  • April 2015: RawPOS Technical Brief (Trend Micro)
  • April 2016: A Newer Variant of RawPOS in Depth (Alien Vault)
  • March 2017: RawPOS Malware Rides Again (Cylance)
  • April 2017: RawPOS New Behavior Risks Identity Theft (Trend Micro)