Researchers at Trend Micro have come across MalumPOS, a new point-of-sale (PoS) malware designed to target systems running Micros and other PoS platforms.
Micros, acquired last year by Oracle for $5.3 billion, develops PoS and enterprise information software for the retail and hospitality industries. According to Oracle, more than 330,000 Micros systems are currently deployed by firms in over 180 countries.
The MalumPOS malware, which is distributed through various methods, disguises itself as “NVIDIA Display Driver” or “NVIDIA Display Driv3r” on the infected system. Once it infects a device, the threat monitors running processes and scrapes their memory contents for valuable payment card information. The malware can target up to 100 processes, Trend Micro noted in a technical brief.
The scraped credit card data is encrypted and stored in a file named “nvsvc.dll” in order to make it appear as if it’s a component of the legitimate NVIDIA driver.
MalumPOS has been developed using the Delphi programming language and it uses regular expressions to search for credit card numbers and other valuable data. Different regular expressions are used to identify Track 1 and Track 2 data. The malware targets Visa, American Express, Discover, MasterCard and Diners Club cards, researchers said.
According to Trend Micro, the stolen data can be used to clone payment cards or to conduct fraudulent transactions online. Many of the potential victims are located in the United States.
It’s not uncommon for PoS malware to use regular expressions to identify payment card information. However, experts noted that the specific expressions used by MalumPOS were previously spotted in the Rdaserv malware family. Trend Micro says it has identified several similarities between Rdaserv and MalumPOS, which suggests that the threats are somehow connected.
In addition to disguising components as NVIDIA graphics drivers, the malware developers also use old time stamps (e.g. 1992-06-19 17:22:17), and dynamically loaded APIs to evade detection.
While MalumPOS appears to mainly target devices using the Micros platform, researchers say it’s also capable of stealing information from systems running Oracle Forms, Shift4 and ones accessed via Internet Explorer.
Payment gateway Shift4 has clarified that its product uses fully tokenized and point-to-point encryption (P2PE) hardware-based solutions that prevent any memory scraping malware from gathering cardholder data.
“The Trend Micro brief, based on a 2014 report, is likely referencing 2013 data that is no longer valid. Since then, PAR Springer-Miller has recertified with Shift4 with a fully tokenized and P2PE hardware based solution,” Steve Sommers, SVP of Applications Development with Shift4, told SecurityWeek. “This means that any memory scraping malware is rendered useless in gathering cardholder data. Swipe information and hand-keyed payment information is encrypted at the point of entry, which then flows through Shift4’s Universal Transaction Gateway as an encrypted block. Keys do not exist at the merchant location to decrypt this information.”
“Combined with 4Res®, which is used to tokenize payment information contained in reservation requests from third parties, all payment information at the merchant property is tokenized. Thus, tokens or encrypted P2PE card blocks are all that can be scraped,” Sommers added.
Trend Micro has pointed out that MalumPoS is configurable.
“This means that in the future, the threat actor can change or add other processes or targets. He can, for example, configure MalumPoS to include Radiant or NCR Counterpoint PoS systems to its target list,” Trend Micro threat analyst Jay Yaneza wrote in a blog post.
*Updated with clarifications from Shift4
Related: PoS Malware Kits Rose in Underground in 2014
Related: Cisco Discovers New “PoSeidon” Point of Sale Malware