June 9, 2015 By Douglas Bonderud 2 min read

Businesses in the hospitality sector may get an unexpected — and unwelcome — guest thanks to the newly discovered MalumPOS malware. According to Trend Micro, the data-stealing tool is targeting hotels, restaurants and a number of large retail chains. Upon check-in, the malware sets up shop and starts scanning for credit card data, then exfiltratres this information for cloning or use in fraudulent online purchases. Here’s what researchers know so far.

Big Numbers for MalumPOS

Right now, this malware tool is after any company running Oracle’s MICROS platform, which amounts to 330,000 businesses worldwide. While Trend didn’t go into detail on the original threat vector or installation method of MalumPOS, they were up-front about the results: Malum is a point-of-sale (POS) ROM scraper able to grab credit data any time magnetic stripes are swiped through a card reader. Information such as the cardholder’s name and account number are up for grabs, and the malware is able to scan for all cards with equal facility.

And it gets worse. As noted by ZDNet, the Delphi-coded tool is configurable, meaning it won’t stay confined to Oracle systems for long. With just a little tweaking, it’s possible to infect almost any other POS system. According to Trend Micro, malicious actors could “configure MalumPOS to include Radiant or NCR Counterpoint POS systems to its target list,” exposing multiple industries to this new risk.

Reading the Market

This new malware points to a worrisome trend: Malicious actors have begun to fully exploit the fact that POS systems are simply another type of computer, making them the ideal platform for data-stealing infections. Tod Beardsley, of security firm Rapid7, told Infosecurity Magazine to think of it this way: “If a device has a USB slot, has an Ethernet port or is on a wireless network, then it is possible to attack it and alter it.”

It’s also worth noting that the malware creators have taken the time to disguise their process with a familiar name. When installed, MalumPOS claims to be an “Nvidia Display Driver” or “Driv3r,” making it seem like a harmless background process. Even though POS systems require no graphics hardware or drivers from Nvidia, the popular name and seemingly innocuous nature are often enough to dampen any suspicions.

As Infosecurity Magazine pointed out, even if Malum doens’t get reconfigured anytime soon, its reach is already substantial. In addition to Oracle MICROS, the malware also goes after Oracle Forms, Shift4 systems and several others accessed via Internet Explorer. In other words, there’s real potential here for a massive credit card compromise. Fortunately, Trend Micro has a MalumPOS Technical Brief with key malware indicators, along with a YARA rule for endpoint software, giving infected companies the chance to track down this unwelcome guest and not-so-politely show it the door.

POS systems remain a high-value target for malicious actors. MalumPOS is the next iteration of this malware class, able to easily change configurations and hide itself in plain sight. Hospitality companies running MICROS need to be on alert; not every guest is in town for the great views or spectacular food — some prefer to dine, dash and then distribute credit card data.

More from

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today