RawPOS Point-of-Sale Malware Checks in to Hotels and Casinos

Written by

Security researchers have shed new light on seven-year-old point-of-sale (POS) malware still being used today, most recently to attack casinos and resort hotels.

RawPOS was first spotted in a Visa Data Security alert in 2008 and has been used repeatedly with success by cyber-criminals in order to steal valuable magstripe data from victims in the United States, Canada, Europe, the Middle East, and Latin America.

As such, it may have been “instrumental to previous credit card breaches documented and not previously attributed to this particular PoS threat,” Trend Micro claimed in a blog post.

RawPOS features a three-stage modular design.

The first is designed for persistence, installing the malware and ensuring its memory dumper and file scraper are launched.

The second features two memory dumpers: “one generic dumper that can be called to dump a specific process, and another dumper that is designed for specific processes that target specific PoS applications.”

This generic dumper element is time-sensitive, so that if an attacker isn’t able to return to the target environment a month after compile time, it will stop all suspicious activity, making dynamic file analysis difficult, Trend Micro claimed.

The file scraper parses the dumped files from the memory dumper, scrapes the credit card data and encodes the dumped data.

The modular design means attackers can tailor the threat according to target environments, Trend Micro said.

The report added:

“The multi-stage or multi-component strategy ensures a high success rate for the chosen environment, while making prevention and detection harder—no matter what type of solution. The threat is still successfully victimizing businesses, and the threat actors behind it are very familiar with how networks within small-to-medium business segments are designed. It is fault-tolerant, persistent and very specific – incident responders and threat investigators may chance upon a specific file that has only been deployed for that specific business.”

Over time, attackers have also modified RawPOS so that it supports multiple POS software types – making it a highly effective and versatile tool.

What’s hot on Infosecurity Magazine?