Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

New PoS Malware Hits Victims Via Spam Camapign: FireEye

Researchers at FireEye have identified a new strain of point-of-sale (POS) malware being used in a spam campaign.

Researchers at FireEye have identified a new strain of point-of-sale (POS) malware being used in a spam campaign.

The malware has been dubbed NitlovePoS and can capture and exfiltrate both track one and track two data from payment cards by scanning the running processes of the compromised machine. According to FireEye, cybercriminals have launched an attack campaign using emails with subject titles such as ‘My Resume’ and ‘Any Openings?’. The campaign is believed to have started May 20. Inside the emails is an attachment that is disguised as a resume but is actually a Word document with an embedded malicious macro.

“To trick the recipient into enabling the malicious macro, the document claims to be a ‘protected document’,” blogged FireEye researchers Nart Villeneuve and Daniel Regalado. “If enabled, the malicious macro will download and execute a malicious executable from”

The cybercriminals behind this operation have been updating the payload, the researchers explained. The two payloads FireEye has observed beacon to the same server from which they are downloaded. They then receive instructions to download additional malware hosted on the server.

“We focused on the “pos.exe” malware and suspected that it maybe targeted Point of Sale machines,” the researchers blogged. “We speculate that once the attackers have identified a potentially interesting host form among their victims, they can then instruct the victim to download the POS malware. While we have observed many downloads of the various EXE’s [hosted] on that server, we have only observed three downloads of “pos.exe”.”

The malware adds itself to the Run registry key to guarantee it will run after every reboot, they explained.

“NitlovePOS expects to be run with the “-” sign as argument; otherwise it won’t perform any malicious actions,” the researchers blogged. “This technique can help bypass some methods of detection, particularly those that leverage automation.”

“If the right argument is provided, NitlovePOS will decode itself in memory and start searching for payment card data,” they continued. “If it is not successful, NitlovePOS will sleep for five minutes and restart the searching effort.”

NitlovePoS is just one of several pieces of POS malware that have appeared so far in 2015, which has seen the emergence of malware such as Punkey and FighterPOS. According to market research firm ABI Research, the growing focus on POS systems by attackers will boost the market for security solutions aimed at protecting the point-of-sale environment. In particular, the firm cited next-generation firewalls as a key technology for enforcing network segmentation.

“The key advantage that NGFW (next-generation firewalls) provides for network segmentation is application servers and data can be designated in different segments based on their risk factors and security classifications, with access to them tightly controlled,” said Monolina Sen, ABI Research’s senior analyst in digital security, in a statement. 

ABI Research predicts the number of POS-related security incidents with confirmed data exposure will increase by the end of 2015.

“Even cybercriminals engaged in indiscriminate spam operations have POS malware available and can deploy it to s subset of their victims,” the FireEye researchers noted. “Due to the widespread use of POS malware, they are eventually discovered and detection increases. However, this is followed by the development of new POS with very similar functionality. Despite the similarity, the detection levels for new variants are initially quite low. This gives the cybercriminals a window of opportunity to exploit the use of a new variant. We expect that new versions of functionally similar POS malware will continue to emerge to meet the demand of the cybercrime marketplace.”


Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.