14 DAY TRIAL // Cybercriminals created a new point-of-sale malware that can be set up to collect card data from multiple payment processing systems, making it one of the most flexible threats in its category.
Dubbed MalumPoS by security researchers at Trend Micro, the new malware piece is currently aimed at PoS systems powered by Oracle MICROS, a platform mostly found at hospitality and retail businesses.
Data collected from at least five types of cards
Once on the target machine, the behavior of MalumPoS is similar to that of other PoS malware, as it starts searching for payment card information in the processes running in the memory of the system. To avoid detection, the malware poses as the NVIDIA Display Driver and installs as a service.
According to Trend Micro, the malware can sift through up to 100 running processes and relies on regular expressions to determine if the data matches details from a card or not.
Since the information required for financial transactions is available on two tracks on a card’s magnetic stripe, there is a different regular expression for each of them.
The information scraped from the RAM is stored in an encrypted file, whose name (nvsvc.dll) makes it look as if it were part of NVIDIA drivers, so that it does not raise any suspicion.
Analysis of the malware shows that it searches for data from Visa, MasterCard, American Express, Discover Cards, Diner’s Club, and some cards issued by JCB (Japan Credit Bureau).
MalumPoS lacks data exfiltration capability
Trend Micro says that MalumPoS also targets Oracle Forms, Shift4 systems, as well as those accessed via Internet Explorer, most of them being available in the US. But given its versatility, the threat can be modified to add new payment processing units as well as cards from other companies.
The research from the security firm shows that MalumPoS shares similarities with a threat of the same kind, called Rdasrv.
One commonality, apart from using the same regular expression, is lack of data exfiltration capabilities, which suggests that the information is collected using a different piece of malware. However, a clear connection between the two cannot be highlighted.
On the other hand, researchers say that the operators of MalumPoS had information about the target before infecting it because they were able to customize binaries, "plant them within the target's environment, and manually collect the stored data."
[UPDATE, June 11]: Representatives of Shift4 contacted us to inform that payment systems from PAR Springer-Miller integrate Shift4 solutions with a fully tokenized and P2PE (point-to-point encryption) hardware, which eliminates the risk of RAM scraping malware such as MalumPoS.
"Swipe information and even hand-keyed payment information is encrypted at the point of entry and flows through our Universal Transaction Gateway as an encrypted block. Keys do not exist at the merchant location to decrypt this information," Shift4 said in a statement.
When asked by Softpedia whether it is possible that Trend Micro referred to older systems that did not rely on a P2PE solution, Steve Sommers, Senior Vice President at Shift4, said that PAR Springer-Miller, a partner of company "is being very aggressive in pushing tokenization combined with hardware P2PE and requiring there customers to purchase new devices."
