Booz Allen Hamilton Researchers Detail New RtPOS Point-of-Sale Malware

Security researchers from Booz Allen Hamilton have spotted a previously unseen and undocumented malware strain that targets point-of-sale (POS) systems.

The malware, which they named RtPOS, appears to be Russian in origin, according to an initial technical analysis published last week.

Overall, this new malware strain is nowhere near as sophisticated as other fellow POS malware strains, such as TreasureHunter, UDPoS, RawPOS, or MajikPOS.

RtPOS is an unsophisticated threat

Researchers say RtPOS contains only a limited set of functions. For example, the malware's binary accepts only two arguments —install and remove— and nothing else.

The malware is also a classic RAM scrapper only, without any extra bells and whistles. This is in contrast with many recent POS malware strains that try to port and include functions from infostealers and remote access trojans, providing crooks with an all-in-one threat for data hunting and collection.

In comparison, RtPOS has one primary function, and that's to watch a PC's RAM for card-number-looking text patterns and save these numbers to a local DAT file. It doesn't look for SSNs, passwords, or driver's license data, or anything else.

But this is not the most glaring characteristic that stood out about RtPOS. The malware, they say, has no networking features, meaning it does not contact remote servers for additional commands or to exfiltrate stolen data.

All collected payment card data is stored inside the local DAT file and left there.

RtPOS looks like an in-dev malware strain

Currently, researchers can't tell why this happens, but there are two main theories.

The first, and most likely, is that the malware is still under development, and a data exfiltration feature will be added in the future. Many believe this to be the correct assumption, as the malware's source code also doesn't feature any obfuscation. The lack of any code obfuscation is a common trait of malware in its early phases.

The second theory is that attackers are using another malware strain to infect users, and they only deploy RtPOS with the sole purpose of collecting payment card data, and payment card data alone. Attackers could be using the original malware or some other tool to exfiltrate the collected data, without having to pack this functionality in RtPOS itself.

This scenario is also a valid theory, as having something else exfiltrate the data at rarer intervals reduces the malware's network footprint, which could prevent some endpoint protection systems from spotting the malware's data exfiltration activity.