Researchers have discovered a point-of-sale malware program, RtPOS, that saves payment card data locally but does not exfiltrate it to a command-and-control server, perhaps so its activity is less likely to be detected as anomalous.
The lack of exfiltration also suggests that the malware is a post-compromise tool that attackers would only use if they’ve already compromised the target machine and have other means of transmitting the stolen data, according to an Aug. 25 blog post from Booz Allen Hamilton’s Managed Threat Services unit. However, it’s also possible that RtPOS is merely in development and its exfiltration capabilities simply haven’t been added yet.
Based on its 2017 compile time, RtPOS has existed in some form since at least last year. With zero networking capabilities, it can only be found on the victim’s infected endpoint. It features a Russian language code, and its file name, alohae.exe, falsely suggests that the malware is really the “Windows Logon Service.”
Upon installation, RtPOS “iterates the available/running processes on the compromised machine,” the blog post explains. “This is carried out in two steps: first, RtPOS uses CreateToolhelp32Snapshot to obtain a process list, and finally uses Process32FirstW to begin iteration of the process list.”
Later, it uses the ReadProcessMemory function to access the POS system’s memory space, presumably in order to perform RAM-scraping on transactions before payment data can be encrypted. The malware then takes any stolen Track 1 and Track 2 data uses a checksum formula to validate the payment card numbers. Those deemed valid are saved in a .dat file in the WindowsSysWOW64 folder for later exfiltration, although the malware itself cannot perform that function.