Posts in PoS Malware Variants
MalumPOS

MalumPOS is a PoS malware family first reported by Trend Micro in 2015. It specifically targets the Oracle MICROS Systems platform which is used by 330,000 customers in 180 countries. MalumPOS is installed as a service using command-line arguments and disguises itself as the "NVIDIA Display Driver" (often stylized as NVIDIA Display Driv3r) to avoid discovery.

Read More
NewPosThings

NewPosThings was uncovered by Arbor Networks in September 2014, and has targeted both 32-bit and 64-bit Windows systems. It has RAM scraper capabilities along with key logging routines, virtual network computing (VNC) password dumping, and information gathering. This PoS malware can also disable security warnings on systems and use custom packers with added debugging methods.

Read More
Punkey

Punkey was discovered and disclosed by Trustwave in April 2015 during a U.S. Secret Service investigation. Its name is a play on the 1980s children's TV show "Punky Brewster" and is believed to have evolved from the NewPosThings malware family. Punkey works by injecting itself into the Windows OS Explorer process, creating registry start-up entries to maintain persistence, and using a RAM scraper to look for plaintext payment card information.

Read More
Multigrain

Multigrain is a variant of NewPosThings, first reported by FireEye in April 2016. According to FireEye's report, Multigrain consists largely of a subset of slightly modified code from NewPosThings. The variant is highly targeted, digitally signed, and exfiltrates stolen payment card data over DNS. The addition of DNS-based exfiltration is new for this malware family; however, other POS malware families such as BernhardPOS and FrameworkPOS have used this technique in the past.

Read More
TreasureHunt

TreasureHunt is PoS malware that appears to have been custom-built for the operations of a particular blackmarket website where payment card numbers are posted and sold, known as “dump shop," according to reported from FireEye in March. TreasureHunt enumerates running processes, extracts payment card information from memory, and then transmits this information to a C2 server.

Read More