Casinos and resort hotels are the most recent victims of an attack that used RawPOS, an old POS malware, to steal customer data. The victims include establishments in the United States, Canada, Europe, Middle East, and Latin America.
Touted as the earliest of its kind, very little research and documentation exists about RawPOS. As such, we will attempt to give light on this threat that may have been instrumental to previous credit card breaches documented and not previously attributed to this particular PoS threat.
RawPOS, Then and Now
The earliest reference to RawPOS we came across was around October 2008, with the Visa Data Security Alert about debugging or parsing memory of point-of-sale systems to extract the full magnetic stripe data from volatile memory. Details from this advisory were observed in other security advisories released in 2008 and 2009.
The latest security advisory regarding RawPOS was released in March 2015. The advisory talks about its involvement with attacks related to the hospitality industry—a report that matches our own findings.
Configurable, Modular Design
RawPOS has a modular design that is highly configurable and has always been a multi-stage scraper. Brought about by pioneers in PoS malware threats, the design they chose has now proven to be enduring till today:
- The multi-stage or multi-component strategy ensures a high success rate for the chosen environment, while making prevention and detection harder –no matter what type of solution.
- The threat is still successfully victimizing businesses, and the threat actors behind it are very familiar with how networks within small-to-medium business segments are designed.
- It is fault-tolerant, persistent and very specific – incident responders and threat investigators may chance upon a specific file that has only been deployed for that specific business.
Multiple Software Support
Aside from being multi-component, RawPOS is notable for its support for multiple PoS software. Since business establishments would have different PoS software, attackers have modified RawPOS’ code to support multiple PoS software over time. Below is a table showing the different PoS software that is supported by RawPOS.
Figure 1. Supported PoS software (click the image to enlarge)
It should be noted that the list is compiled against what Trend Micro had seen in terms of file samples. While this PoS software listing tries to be as complete based on this file samples we have acquired, RawPOS and its components are highly configurable and we can certainly be sure that RawPOS has been modified to adapt to more PoS software.
Additional analysis by Kenney Lu, Dark Luo, Marvin Cruz and Numaan Huq
More details about RawPOS, as well as best practices and available Trend Micro solutions, can be found in our RawPOS Technical Brief.
