MalumPoS malware targets hotels, scrapes customer credit cards

Skype used to spread malware
June 5, 2015
Hospital Medical Devices Used As Weapons In Cyberattacks
June 9, 2015

Researchers have discovered MalumPoS, a new point-of-sale malware designed to steal credit card data from hotels and other US businesses.

Trend Micro’s Kenney Lu described the security firm’s discovery in a blog post last week. The point-of-sale (POS) malware targets sales systems in hotels and other industries in the United States in order to scrape valuable credit card data which can then be used to create cloned cards, empty victim bank accounts or be sold on the black market.

MalumPoS is designed to collect data from POS machines running on Oracle MICROS, a payment system used by restaurants, hotels, the retail sector and the enterprise — and is used in approximately 333,000 customer sites worldwide.

“If successfully deployed by a threat actor, this PoS RAM scraper could put several high-profile US-based companies and their customers at risk,” Trend Micro says.

While the security firm did not reveal how the malware reaches systems, the company says MalumPoS — written in the Delphi programming language — is able to monitor running processes and scrape the memory content of infected processes and RAM. If a credit card is swiped by an infected machine, the malware is able to steal stored data such as cardholder names and account numbers.

MalumPoS is designed to be configurable, which means that threat actors can change or add other POS system processes, targets and areas to be scraped. For example, MalumPoS could be configured to include Radiant or NCR Counterpoint PoS systems to its target list — placing a wider field of retailers at risk.

Once installed in a system, the malware disguises itself as “the Nvidia Display Driver,” and is sometimes stylized as the “Nvidia Display Driv3r.” Nvidia generally does not play an important part in POS systems, but the familiarity of the branding and drivers — an important component in systems used to make sure peripherals function correctly — could set victim minds at ease by appearing legitimate to the average user.


Aside from Oracle MICROS, Trend Micro says the malware also targets Oracle Forms, Shift4 systems and systems accessed via Internet Explorer. The majority of targets are based in the United States.

The malware is also selective when it comes to the types of credit card data scraped and focuses on Visa, MasterCard, American Express, Discover, and Diner’s Club.

The following indicators are used in the POS stage:


Read the full technical brief here (.PDF).

In May, researchers from FireEye discovered NitlovePOS, a new POS malware strain which infects users through phishing campaigns. The phishing campaign entices victims to download malicious payloads through spoofed Yahoo! mail accounts and fraudulent emails relating to job opportunities, internships and resumes — a subject which would persuade most businesses to click.

Source –


Request Demo