“A new Point-of-Sale RAM scraper is being offered for sale, and is currently designed to collect data from a very specific type of PoS systems: those running on Oracle MICROS (often used in the hospitality and retail industries, mostly in the US).
“Aside from Oracle MICROS, MalumPoS also targets Oracle Forms, Shift4 systems, and those accessed via Internet Explorer. Looking at the user base of these listed platforms, we can see that a major chunk is from the US,” Trend Micro researchers noted.
It’s also interesting to see that, at the moment, MalumPoS is trawling the PoS’ RAM for data about Visa, MasterCard, American Express, Discover, and Diners Club payment cards – data for other cards is ignored.
MalumPoS has many similarities with Rdasrv, the family of RAM scrapers that in 2011 started the PoS malware run, making it possible and likely that the author(s) is one and the same, or they are somehow linked.
“What is clear is that the persons operating MalumPOS had prior information about their target’s environment as they are able to customize binaries based on the target’s POS systems, plant them within the target’s environment, and manually collect the stored data,” the researchers pointed out.
The malware employs several detection prevention techniques, including using an old time stamp for the collected files, loading some of the APIs dinamically, and using filenames that users associate with well-known, legitimate software (e.g., NVIDIA Display Driver).
It’s good to note that the malware can be reconfigured to target any other PoS system and be made to target specific environments, so the threat it presents can escalate in the near future.
Aside from detecting current malware binaries, Trend Micro has also provided a YARA rule and indicators of compromise for MalumPoS. For more details about it and the malware itself, consult this paper.”