Researchers with Trend Micro have identified malware – known as MalumPOS – that can be configured to target any point-of-sale (POS) system, and which also takes steps to avoid detection.
Jay Yaneza, threat analyst with Trend Micro, wrote in a Friday post that MalumPOS is currently targeting data from POS systems running on Oracle MICROS, a system used in 330,000 customer sites around the world – the majority of which are hospitality, food and beverage and retail locations in the United States.
MalumPOS – a POS RAM scraper written in the Delphi programming language – is also targeting Oracle Forms and Shift4 systems, but without much trouble the attackers can reconfigure the malware to breach other systems such as Radiant or NCR Counterpoint POS systems, Yaneza said in the post.
“[It's] not that difficult,” Yaneza told SCMagazine.com in a Monday email correspondence. “Threat actors just have to determine which processes to target, and then build a new binary. The characteristics of the binaries we analyzed tell us that they're using a kit/builder as the binary construction is the same and then the necessary elements to make it run are loaded on runtime.”
Upon infection, MalumPOS takes a few steps to hide and avoid detection, one of which includes disguising itself as a “NVIDIA Display Driver” – stylized as “NVIDIA Display Driv3r.” Yaneza reminds users that typical NVIDIA components are not integral to POS systems.
Additionally, MalumPOS scrapes credit card data selectively by using regular expressions (regexes) to comb through POS data and find only important information. Specifically, the malware looks for data on Visa, MasterCard, American Express, Discover and Diner's Club cards.
Trend Micro has provided additional details on the threat in a MalumPOS technical brief.
UPDATE: According to a Shift4 statement emailed to SCMagazine.com last week, “The Trend Micro brief is based on a 2014 report, which is most likely referencing 2013 or prior data. Since this time, PAR Springer-Miller has recertified with Shift4 with a fully tokenized and P2PE hardware based solution, which renders any memory scraping malware useless for gathering cardholder data. Swipe information and even hand-keyed payment information is encrypted at the point of entry and flows through our Universal Transaction Gateway as an encrypted block. Keys do not exist at the merchant location to decrypt this information.”
Trend Micro followed up, stating, “We're glad to hear that Shift4 updated its software to address this issue. Since PoS malware isn't going away anytime soon, it's important for security to be set up at the software level. Trend Micro welcomes the opportunity to analyze the new version where these security updates are implemented, and share our feedback accordingly.”