RtPOS
RtPOS is a piece of malware specialized in infecting Point-of-Sale (POS) devices and then scraping their Random Access Memory (RAM) to collect customers' credit card information. However, there are some captivating things about this malware family in particular. For starters, it does not include as many features as other popular POS malware, and, surprisingly, it also is incapable of sending the collected data to a remote server. This means that the attackers would need to have physical or remote access to the infected device to exfiltrate the file with the gathered credit card details.
RtPOS Does not Use the Computer's Network
The authors of RtPOS have focused on simplicity, and their malware has minimal features to get the job done. It is possible that RtPOS may still be a work in progress since the basic structure and lack of convoluted obfuscation is not typical for POS malware. The only obfuscation measure of RtPOS is that it mimics a legitimate Windows service on the infected machine. All recovered samples of RtPOS adopted the name 'Windows Logon Service' once they were installed. Another peculiar thing about this malware is that the corrupted executable requires one of these two arguments to run – '/install' or '/remove.' This means that criminals would need to execute it on the infected machine manually.
Once running, RtPOS iterates all active processes and looks for the ones associated with Point-of-Sale software. Once the targets are marked, the RtPOS implant observes the memory used by the processes and checks for strings that match the ones used by credit cards. Once a match is found, the RtPOS will run the string through a quick Luhn algorithm check to verify that the information belongs to a legitimate credit/debit card. Finally, the collected data is stored in the file 'sql8514.dat' that is found in the 'Windows' system folder.
RtPOS' Collected Data is Extracted Manually
As mentioned earlier, RtPOS does not possess the ability to exfiltrate data over the Internet, so its operators would need remote or physical access to retrieve the 'sql8514.dat' file. While this may make the malware family sound basic, it also may be a smart move from the criminals – they are leaving a minimal footprint on the infected machine, therefore making RtPOS more difficult to detect.
So far, only a few samples of the RtPOS malware were seen in the wild, so it is possible that this implant might still be undergoing testing and development. While it has sub-par features compared to other malware of this sort, it can even complete the primary task of collecting credit card information from non-suspecting customers.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.