A new point-of-sale (PoS) malware strain has been uncovered, which for now targets a widely deployed credit-card system used in 330,000 customer sites worldwide. But MalumPoS is also highly versatile and can morph to accommodate multiple payment processing systems as well.
For now, it works to compromise Oracle's MICROS retail platform, in order to steal credit- and debit-card data from hotels, stores and other businesses. The scraped info can then be used to create cloned cards to drain bank accounts and credit limits, or can be wholesaled on the black market to other criminals looking to do that same thing. The malware can also monitor running processes and scrape the RAM for further information as well.
"If successfully deployed by a threat actor, this PoS RAM scraper could put several high-profile US-based companies and their customers at risk," said Trend Micro's Kenney Lu, in an analysis.
Worryingly, MalumPoS adds a twist to the typical PoS scraper functionality set. It’s designed to be eminently configurable, which means that threat actors can change or add other POS system processes, targets and areas to be scraped—widening the attack radius beyond the Oracle platform. In fact, this capability makes it the most flexible baddie in its category to date.
“This means that in the future, the threat actor can change or add other processes or targets,” Lu said. “He can, for example, configure MalumPoS to include Radiant or NCR Counterpoint PoS systems to its target list. With that inclusion, companies running on those systems will also be at risk.”
Rapid7’s security engineering manager, Tod Beardsley, said that the elastic nature of its functionality represents an evolution in understanding of these systems on the part of cybercriminals.
“The latest report on MalumPOS is another proof point that criminals are understanding that point-of-sale systems are simply another kind of computer, and general-purpose computers all have the opportunity to run malware,” he said via email. “Unfortunately, this is a realization that many companies still have not realized in a practical way. If a device has a USB slot, has an Ethernet port, or is on a wireless network, then it is possible to attack it and alter it.”
Interestingly, MalumPoS also has another interesting quirk: A NVIDIA disguise.
“Once installed in a system, the malware disguises itself as the ‘Nvidia Display Driver,’ and is sometimes stylized as the ‘Nvidia Display Driv3r,’” said Lu. “Although typical NVIDIA components play no important parts in PoS systems, their familiarity to regular users may make the malware seem harmless.”
In all, the threat is real, and potentially widespread: “Aside from Oracle MICROS, MalumPoS also targets Oracle Forms, Shift4 systems, and those accessed via Internet Explorer,” the researcher explained. “Looking at the user base of these listed platforms, we can see that a major chunk is from the US.”
UPDATE, June 10: Shift4 gave us has the following comment on the news:
"The Trend Micro brief is based on a 2014 report, which is most likely referencing 2013 or prior data. Since this time, PAR Springer-Miller has recertified with Shift4 with a fully tokenized and P2PE hardware based solution, which renders any memory scraping malware useless for gathering cardholder data. Swipe information and even hand-keyed payment information is encrypted at the point of entry and flows through our Universal Transaction Gateway as an encrypted block. Keys do not exist at the merchant location to decrypt this information. This, combined with 4Res, which is used to tokenize payment information contained in reservation requests from third parties, means that all payment information at the merchant property is tokenized and tokens or encrypted P2PE card blocks are all that can be scraped."