MalumPOS name
We first discovered MalumPoS, a new attack tool that threat actors can reconfigure to breach any PoS system they wish to target. Currently, it is designed to collect data from PoS systems running on Oracle® MICROS®, a platform popularly used in the hospitality, food and beverage, and retail industries.
Oracle claims that MICROS is used in 330, 000 customer sites worldwide. A bulk of the companies using this platform is mostly concentrated in the United States. If successfully deployed by a threat actor, this PoS RAM scraper could put several high-profile US-based companies and their customers at risk.
In general, PoS RAM scrapers like MalumPoS are designed to scrape off credit card data from an infected systems’ RAM. Every time the magnetic stripe of a credit card is swiped, the malware can steal stored data such as the cardholder’s name and account number. This data can then be exfiltrated and used to physically clone credit cards or, in some cases, commit fraudulent transactions like online purchases.
MalumPoS was designed to be configurable. This means that in the future, the threat actor can change or add other processes or targets. He can, for example, configure MalumPoS to include Radiant or NCR Counterpoint PoS systems to its target list. With that inclusion, companies running on those systems will also be at risk.
Other Notable Features
Compared to other PoS RAM scrapers we’ve seen in the past, this particular MalumPoS threat shows a few interesting characteristics:
- NVIDIA disguise: Once installed in a system, MalumPoS disguises itself as “the “NVIDIA Display Driver” or, as seen below, stylized to be displayed as “NVIDIA Display Driv3r”. Although typical NVIDIA components play no important parts in PoS systems, their familiarity to regular users may make the malware seem harmless.