MalumPOS Malware that Can Be Configured to Target Any POS System

MalumPOS malware disguises itself as a “NVIDIA Display Driver,” but it is stylized as “NVIDIA Display Driv3r.”

Researchers with Trend Micro have identified malware – known as MalumPOS – that can be configured to target any point-of-sale (POS) system, and which also takes steps to avoid detection.

Jay Yaneza, threat analyst with Trend Micro, wrote in a Friday post that MalumPOS is currently targeting data from POS systems running on Oracle MICROS, a system used in 330,000 customer sites around the world – the majority of which are hospitality, food and beverage and retail locations in the United States.

MalumPOS – a POS RAM scraper written in the Delphi programming language – is also targeting Oracle Forms and Shift4 systems, but without much trouble the attackers can reconfigure the malware to breach other systems such as Radiant or NCR Counterpoint POS systems, Yaneza said in the post.

“[It’s] not that difficult,” Yaneza told SCMagazine.com in a Monday email correspondence. “Threat actors just have to determine which processes to target, and then build a new binary. The characteristics of the binaries we analyzed tell us that they’re using a kit/builder as the binary construction is the same and then the necessary elements to make it run are loaded on runtime.”

Upon infection, MalumPOS takes a few steps to hide and avoid detection, one of which includes disguising itself as a “NVIDIA Display Driver” – stylized as “NVIDIA Display Driv3r.” Yaneza reminds users that typical NVIDIA components are not integral to POS systems.

Additionally, MalumPOS scrapes credit card data selectively by using regular expressions (regexes) to comb through POS data and find only important information. Specifically, the malware looks for data on Visa, MasterCard, American Express, Discover and Diner’s Club cards.

Trend Micro has provided additional details on the threat in a MalumPOS technical brief.

As seen on SC Magazine – Malware targets Oracle Micros, Shift4, Radiant, and NCR.