Have you heard RawPOS technical term? In short, it is a Windows based malware family that targets payment card data including Retail, Hospitality and Casinos.
The undiscovered POS malware – High Level review (Found Aug 2016)
- Associated with files psrmon.exe and oobentfy.exe – psrmon.exe manipulating the data encryption process. Copies following files to temp folder.
- Associated with files hdmsvc.exe and oobentfy.exe – Named Pipe Vulnerabilities (C:\DosDevices\pipe\pipe\net\NtControlPipe10), discoveries in manipulating the \DosDevices object directory that also lead to privilege escalation.
Program “oobentfy.exe” is the major body (this is the Memory scanning portion of the malware).
1. Malware will create a memory dump folder (sample shown as below):
2. The program will monitor the memdump folder (C:\DOCUME~1\User\LOCALS~1\Temp\memdump). Memdump folder contains plain text credit card data.
3. Credit card data will then be encrypted and placed in a file.
Regarding to the analysis, it is a three-part RawPOS process to infect a system. Additionally, found that this malware relies on Perl Source code.
Malware structure in depth
Merchant Levels & POS system workflow architecture
As of today(6th Aug 2016), it looks that no AV engines recognize the hash for the persistence mechanism as a threat.
Anyway, will keep you posted if there is anything updating.