Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Malware & Threats

Worm Capabilities Added to FighterPOS Malware

The developers of the point-of-sale (PoS) malware known as FighterPOS have added worm capabilities to their creation, and the number of infections detected in the United States has increased over the past period.

The developers of the point-of-sale (PoS) malware known as FighterPOS have added worm capabilities to their creation, and the number of infections detected in the United States has increased over the past period.

Trend Micro reported in April 2015 that a new PoS malware family had infected the systems of more than 100 organizations in Brazil, helping cybercriminals steal over 22,000 unique credit card records.

Initially sold for more than $5,000 worth of Bitcoins, FighterPOS continues to evolve, and while over 90 percent of infections still appear to be in Brazil, the number of infections detected by the security firm in the US now represents 6 percent of the total, up from 1 percent reported in April 2015.

Experts’ assumption that FighterPOS operators have started targeting the United States is also backed by the fact that new samples of the malware include strings written in English, instead of Portuguese. 

Trend Micro has come across two new FighterPOS samples: a lightweight version detected as TSPY_POSFIGHT.F, and a more sophisticated variant detected as WORM_POSFIGHT.SMFLK and dubbed “Floki Intruder.”

Similar to older versions of FighterPOS, Floki Intruder can disable the firewall, User Account Control (UAC) and other Windows protections, and it can detect the presence of security products using Windows Management Instrumentation (WMI). Just like previous variants, Floki Intruder is delivered via hijacked websites and it’s capable or receiving updates from its command and control (C&C) servers.

One noteworthy feature added to Floki Intruder allows the threat to infect all PoS terminals on a network. The malware enumerates logical drives and drops copies of itself along with an autorun.inf file using WMI. The autorun.inf file is used to execute the malware when the targeted logical drive is accessed.

Advertisement. Scroll to continue reading.

“Adding this routine, in a way, makes sense: given that it is quite common for PoS terminals to be connected in one network, a propagation routine will not only enable the attacker to infect as many terminals as possible with the least amount of effort, it will also make this threat more difficult to remove because reinfection will occur as long as at least one terminal is affected,” Trend Micro researchers said in a blog post.

The lightweight FighterPOS variant found by Trend Micro is only designed to connect to the attacker’s server to send payment card logs collected by other PoS malware that is designed to scrape the RAM for valuable information. TSPY_POSFIGHT.F doesn’t accept backdoor commands and it cannot obtain information on the infected machine.

Researchers discovered several new PoS malware families last year, including NitlovePoSPoSeidon, MWZLesson, MalumPOS, Cherry Picker and AbaddonPOS.

Related: Operation Black Atlas Continues to Compromise PoS Systems

Related: Botnet Takes “Shotgun” Approach to Hack PoS Systems

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...