RtPOS Malware’s Year in the Wild Before Discovery

What Is It?

A new report from Booz Allen Hamilton Cyber (BAHC) describes a piece of point of sale (POS) malware named RtPOS that appears to have been undiscovered for a year.

In previous Threat Reports, we have discussed the concept of dwell time in (RadRAT and InvisiMole) as the period of time between a network being compromised and when that breach was detected.

POS malware, such as LockPOS, is designed to steal payment card data from terminals and other systems used to process card payments in stores and other businesses. Most often, the card data is extracted directly from the memory of the infected system. Readers may remember the news around the use of POS malware, such as in well publicized attacks on customers of Home Depot and Target in 2014.

BAHC did not describe how or where they obtained the sample from, though they named it RtPOS based on a debug string found in the sample. The metadata of the sample shows the language code to be Russian, which could indicate a possible location of the authors (or at least their chosen language). The sample’s apparent lack of sophistication and functionality has caused speculation as to whether it is an example of malware that’s under development. Although these same attributes could also indicate deliberate intent on the part of the authors to make the malware more stealthy.

Unlike the majority of current malware, RtPOS malware is not packed or otherwise obfuscated. However, this may actually make the sample appear less suspicious to endpoint-specific anti-malware solutions. In a departure from most POS malware, this sample also does not contain the capability to exfiltrate stolen card data, that data is merely logged in plain text to a file stored in the Windows\SysWOW64 directory. The malware is very specific in its function, it only accepts two parameters (either “install” or “remove”) and only looks for card data but not other data that could be commoditized by attackers, such as social security numbers.

Given its narrow focus, it is believed that RtPOS is used in conjunction with additional malware in order to compromise the payment processing system and exfiltrate the extracted data. The compile date of the sample is August 2017 and there is no evidence to suggest this is not accurate, indicating the malware has been unnoticed in the wild for a full year.

How Does It Propagate?

The malware does not self-propagate and the infection vector is currently unknown.

When/How Did BluVector Detect It?

BluVector’s patented Machine Learning Engine (MLE) detected the RtPOS malware. Regression testing has shown the sample would have been detected 20 months prior to its discovery, which appears to be 12 months after it was created, meaning BluVector would have detected this sample 8 months before it was even created.

All Threat Reports