Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

MalumPOS Malware Targets Oracle Micros PoS Systems

Researchers at Trend Micro have come across MalumPOS, a new point-of-sale (PoS) malware designed to target systems running Micros and other PoS platforms.

Researchers at Trend Micro have come across MalumPOS, a new point-of-sale (PoS) malware designed to target systems running Micros and other PoS platforms.

Micros, acquired last year by Oracle for $5.3 billion, develops PoS and enterprise information software for the retail and hospitality industries. According to Oracle, more than 330,000 Micros systems are currently deployed by firms in over 180 countries.

The MalumPOS malware, which is distributed through various methods, disguises itself as “NVIDIA Display Driver” or “NVIDIA Display Driv3r” on the infected system. Once it infects a device, the threat monitors running processes and scrapes their memory contents for valuable payment card information. The malware can target up to 100 processes, Trend Micro noted in a technical brief.

The scraped credit card data is encrypted and stored in a file named “nvsvc.dll” in order to make it appear as if it’s a component of the legitimate NVIDIA driver.

MalumPOS has been developed using the Delphi programming language and it uses regular expressions to search for credit card numbers and other valuable data. Different regular expressions are used to identify Track 1 and Track 2 data. The malware targets Visa, American Express, Discover, MasterCard and Diners Club cards, researchers said.

According to Trend Micro, the stolen data can be used to clone payment cards or to conduct fraudulent transactions online. Many of the potential victims are located in the United States.

It’s not uncommon for PoS malware to use regular expressions to identify payment card information. However, experts noted that the specific expressions used by MalumPOS were previously spotted in the Rdaserv malware family. Trend Micro says it has identified several similarities between Rdaserv and MalumPOS, which suggests that the threats are somehow connected.

In addition to disguising components as NVIDIA graphics drivers, the malware developers also use old time stamps (e.g. 1992-06-19 17:22:17), and dynamically loaded APIs to evade detection.

While MalumPOS appears to mainly target devices using the Micros platform, researchers say it’s also capable of stealing information from systems running Oracle Forms, Shift4 and ones accessed via Internet Explorer.

Payment gateway Shift4 has clarified that its product uses fully tokenized and point-to-point encryption (P2PE) hardware-based solutions that prevent any memory scraping malware from gathering cardholder data.

“The Trend Micro brief, based on a 2014 report, is likely referencing 2013 data that is no longer valid. Since then, PAR Springer-Miller has recertified with Shift4 with a fully tokenized and P2PE hardware based solution,” Steve Sommers, SVP of Applications Development with Shift4, told SecurityWeek. “This means that any memory scraping malware is rendered useless in gathering cardholder data. Swipe information and hand-keyed payment information is encrypted at the point of entry, which then flows through Shift4’s Universal Transaction Gateway as an encrypted block. Keys do not exist at the merchant location to decrypt this information.”

“Combined with 4Res®, which is used to tokenize payment information contained in reservation requests from third parties, all payment information at the merchant property is tokenized. Thus, tokens or encrypted P2PE card blocks are all that can be scraped,” Sommers added.

Trend Micro has pointed out that MalumPoS is configurable.

“This means that in the future, the threat actor can change or add other processes or targets. He can, for example, configure MalumPoS to include Radiant or NCR Counterpoint PoS systems to its target list,” Trend Micro threat analyst Jay Yaneza wrote in a blog post.

*Updated with clarifications from Shift4

Related: PoS Malware Kits Rose in Underground in 2014

Related: Cisco Discovers New “PoSeidon” Point of Sale Malware

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.