June 9, 2015 By Douglas Bonderud 2 min read

Businesses in the hospitality sector may get an unexpected — and unwelcome — guest thanks to the newly discovered MalumPOS malware. According to Trend Micro, the data-stealing tool is targeting hotels, restaurants and a number of large retail chains. Upon check-in, the malware sets up shop and starts scanning for credit card data, then exfiltratres this information for cloning or use in fraudulent online purchases. Here’s what researchers know so far.

Big Numbers for MalumPOS

Right now, this malware tool is after any company running Oracle’s MICROS platform, which amounts to 330,000 businesses worldwide. While Trend didn’t go into detail on the original threat vector or installation method of MalumPOS, they were up-front about the results: Malum is a point-of-sale (POS) ROM scraper able to grab credit data any time magnetic stripes are swiped through a card reader. Information such as the cardholder’s name and account number are up for grabs, and the malware is able to scan for all cards with equal facility.

And it gets worse. As noted by ZDNet, the Delphi-coded tool is configurable, meaning it won’t stay confined to Oracle systems for long. With just a little tweaking, it’s possible to infect almost any other POS system. According to Trend Micro, malicious actors could “configure MalumPOS to include Radiant or NCR Counterpoint POS systems to its target list,” exposing multiple industries to this new risk.

Reading the Market

This new malware points to a worrisome trend: Malicious actors have begun to fully exploit the fact that POS systems are simply another type of computer, making them the ideal platform for data-stealing infections. Tod Beardsley, of security firm Rapid7, told Infosecurity Magazine to think of it this way: “If a device has a USB slot, has an Ethernet port or is on a wireless network, then it is possible to attack it and alter it.”

It’s also worth noting that the malware creators have taken the time to disguise their process with a familiar name. When installed, MalumPOS claims to be an “Nvidia Display Driver” or “Driv3r,” making it seem like a harmless background process. Even though POS systems require no graphics hardware or drivers from Nvidia, the popular name and seemingly innocuous nature are often enough to dampen any suspicions.

As Infosecurity Magazine pointed out, even if Malum doens’t get reconfigured anytime soon, its reach is already substantial. In addition to Oracle MICROS, the malware also goes after Oracle Forms, Shift4 systems and several others accessed via Internet Explorer. In other words, there’s real potential here for a massive credit card compromise. Fortunately, Trend Micro has a MalumPOS Technical Brief with key malware indicators, along with a YARA rule for endpoint software, giving infected companies the chance to track down this unwelcome guest and not-so-politely show it the door.

POS systems remain a high-value target for malicious actors. MalumPOS is the next iteration of this malware class, able to easily change configurations and hide itself in plain sight. Hospitality companies running MICROS need to be on alert; not every guest is in town for the great views or spectacular food — some prefer to dine, dash and then distribute credit card data.

More from

SoaPy: Stealthy enumeration of Active Directory environments through ADWS

10 min read - Introduction Over time, both targeted and large-scale enumeration of Active Directory (AD) environments have become increasingly detected due to modern defensive solutions. During our internship at X-Force Red this past summer, we noticed FalconForce’s SOAPHound was becoming popular for enumerating Active Directory environments. This tool brought a new perspective to Active Directory enumeration by performing collection via Active Directory Web Services (ADWS) instead of directly through Lightweight Directory Access Protocol (LDAP) as other AD enumeration tools had in the past.…

Smoltalk: RCE in open source agents

26 min read - Big shoutout to Hugging Face and the smolagents team for their cooperation and quick turnaround for a fix! Introduction Recently, I have been working on a side project to automate some pentest reconnaissance with AI agents. Just after I started this project, Hugging Face announced the release of smolagents, a lightweight framework for building AI agents that implements the methodology described in the ReAct paper, emphasizing reasoning through iterative decision-making. Interestingly, smolagents enables agents to reason and act by generating…

4 ways to bring cybersecurity into your community

4 min read - It’s easy to focus on technology when talking about cybersecurity. However, the best prevention measures rely on the education of those who use technology. Organizations training their employees is the first step. But the industry needs to expand the concept of a culture of cybersecurity and take it from where it currently stands as an organizational responsibility to a global perspective.When every person who uses technology — for work, personal use and school — views cybersecurity as their responsibility, it…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today