A new PoS campaign gathers credit card mag stripe data, as well as keyloggers and backdoors.
A new PoS campaign gathers credit card mag stripe data, as well as keyloggers and backdoors.

A longstanding point-of-sale (PoS) RAM scraper malware family has some new tricks up its sleeve, according to a report by Trend Micro's Cyber Safety Solutions Team.

While the researchers said the malware's distribution strategies are consistent with past attacks, the malware has evolved to go after driver's license data, particularly targeting the hospitality industry.

The increased threat of identity theft from RawPOS (dubbed by Trend Micro as TSPY_RAWPOS) will aid the attack group's malicious activities, the researchers stated.

The campaign has evolved to gather credit card mag stripe data, as well as keyloggers and backdoors, in pursuit of its ultimate goal: information. And the malware does this by "cleverly modifying the regex string to capture the needed data," the report found.

In other words, the malware employs pattern matching to scan for data embedded in the magnetic stripe to capture “track data”-like strings in memory. Once it detects a pattern, "the memory dumper dumps process memory for a file scraper to organize the data."

But, last year the Trend Micro team began noticing a new iteration that – along with credit card details and the “Drivers” and “License” strings­ – included a string “ANSI 636,” which designates data coded into U.S. driver's licenses – including full name, date of birth, full address, gender, height, even hair and eye color.

Once the bad actors get hold of personal information along with credit card information, they're at an advantage for carrying out identity theft transactions – without needing a physical card.

Code modification is trivial, the bad actors behind this latest attack just modify the source code and then compile it, ready for the next target, Jon Clay, director of global threat communications at Trend Micro, told SC Media on Wednesday.

In particular, there are two modifications that he highlights to illustrate the point:

"First of all, they've always been modifying their code to fit the target environment," Clay said. "These modifications may include: the regex patterns, list of processes to look for in memory, the CC dump file, service install/description."

He notes that this comes hand-in-hand since the regex (that matches the interesting string of characters) should be found in the list of processes' memory. The coders, he said, also make sure that all of these items blend within the environment so it won't stand out like some random processes/service.

"We've always seen modify/create new files that has this combination – but always looking for CC cards and/or looking for list of processes that take CC numbers."

This new regex that matches a drivers license is really new, he said, adding that he hasn't seen it in other families.

Another thing he notes: This round of modifications that the coders did after his team posted its original RawPOS story had some minor modifications to the strings found in the file that would render the original YARA rule his team posted useless.

When asked what's so different about the delivery mechanism used in RawPOS, Clay told SC that, in fact, it's not so different. Mostly, it's the same as depicted previously by his team.

But, there are some newer tools here and there, he said, pointing out that Kroll did an "excellent" update earlier this year about the tools they observed.

This new delivery method tells Clay that the coders are still targeting the hospitality industry. "They always have," he said, adding that he can't blame them as it's still a multi-billion dollar industry. "It's high traffic, and you can be sure that folks paying with a card have high limits. And we're talking about really nice hospitality establishments: like residential hotels, casino hotels, resort hotels."

But, he explained, it's important to decouple the malware authors versus the threat actors themselves. "Though it would be nice to think that the RawPOS malware authors (utilizing Borland C++ and Perl, old-school dudes) are also proficient in network penetration/lateral movement, I would say these are different people."

Ultimately, Clay said he was surprised these bad actors are still operational. "Most of the threat actors operating within this space have died out, but this shows us they're here to stay."