Micros, acquired last year by Oracle for $5.3 billion, develops PoS and enterprise information software for the retail and hospitality industries. According to Oracle, more than 330,000 Micros systems are currently deployed by firms in over 180 countries.
The MalumPOS malware, which is distributed through various methods, disguises itself as `NVIDIA Display Driver` or `NVIDIA Display Driv3r` on the infected system. Once it infects a device, the threat monitors running processes and scrapes their memory contents for valuable payment card information. The malware can target up to 100 processes, Trend Micro noted in a technical brief.
The scraped credit card data is encrypted and stored in a file named `nvsvc.dll` in order to make it appear as if it's a component of the legitimate NVIDIA driver.
MalumPOS has been developed using the Delphi programming language and it uses regular expressions to search for credit card numbers and other valuable data. Different regular expressions are used to identify Track 1 and Track 2 data. The malware targets Visa, American Express, Discover, MasterCard and Diners Club cards, researchers said.
According to Trend Micro, the stolen data can be used to clone payment cards or to conduct fraudulent transactions online. Many of the potential victims are located in the United States.
It's not uncommon for PoS malware to use regular expressions to identify payment card information. However, experts noted that the specific expressions used by MalumPOS were previously spotted in the Rdaserv malware family. Trend Micro says it has identified several similarities between Rdaserv and MalumPOS, which suggests that the threats are somehow connected.
In addition to disguising components as NVIDIA graphics drivers, the malware developers also use old time stamps (e.g. 1992-06-19 17:22:17), and dynamically loaded APIs to evade detection.
While MalumPOS appears to mainly target devices using the Micros platform, researchers say it's also capable of stealing information from systems running Oracle Forms, Shift4 and ones accessed via Internet Explorer.
`MalumPoS was designed to be configurable. This means that in the future, the threat actor can change or add other processes or targets. He can, for example, configure MalumPoS to include Radiant or NCR Counterpoint PoS systems to its target list,` Trend Micro threat analyst Jay Yaneza wrote.
Read original article
No comments:
Post a Comment