In November 2016, researchers at Morphick discovered a new point-of-sale (PoS) malware variant they aptly named ScanPOS after the contents of a build string within the malware’s code. ScanPOS is distributed by Kronos, a banking Trojan that’s delivered via a phishing campaign. After the victim opens the phishing email and enables the macros on the attached malicious document, the Kronos payload is installed which then, in turn, downloads and installs ScanPOS. Upon execution, ScanPOS grabs information about the current running process and collects the user name and privilege rights on the infected system. It then enters an infinite loop to dump process memory and search for payment card track data. After ScanPOS conducts several searches for this information, it passes potential data to Luhn’s algorithm for validation. If that data passes Luhn’s, it continues searching for numbers until it reaches a question mark (?) which marks the end of the payment card track data. Once potential payment card numbers are found, ScanPOS sends that data back to the attacker via HTTP POST to invoicesharepoint[.]com. (Upon further investigation, the NJCCIC has discovered that this and another ScanPOS-associated website have been suspended by the hosting provider.)

At the time of Morphick’s initial report, ScanPOS had a very low detection rate among several popular and reputable antivirus software packages, scoring just 1/55 on VirusTotal. This is likely to change as word begins to spread about this variant. However, the malicious actor(s) behind this campaign will likely modify indicators and code to evade detection in the future.

Reporting and Technical Details

  • November 2016: ScanPOS, new POS malware being distributed by Kronos (Morphick)