June 9, 2015 By Douglas Bonderud 2 min read

Businesses in the hospitality sector may get an unexpected — and unwelcome — guest thanks to the newly discovered MalumPOS malware. According to Trend Micro, the data-stealing tool is targeting hotels, restaurants and a number of large retail chains. Upon check-in, the malware sets up shop and starts scanning for credit card data, then exfiltratres this information for cloning or use in fraudulent online purchases. Here’s what researchers know so far.

Big Numbers for MalumPOS

Right now, this malware tool is after any company running Oracle’s MICROS platform, which amounts to 330,000 businesses worldwide. While Trend didn’t go into detail on the original threat vector or installation method of MalumPOS, they were up-front about the results: Malum is a point-of-sale (POS) ROM scraper able to grab credit data any time magnetic stripes are swiped through a card reader. Information such as the cardholder’s name and account number are up for grabs, and the malware is able to scan for all cards with equal facility.

And it gets worse. As noted by ZDNet, the Delphi-coded tool is configurable, meaning it won’t stay confined to Oracle systems for long. With just a little tweaking, it’s possible to infect almost any other POS system. According to Trend Micro, malicious actors could “configure MalumPOS to include Radiant or NCR Counterpoint POS systems to its target list,” exposing multiple industries to this new risk.

Reading the Market

This new malware points to a worrisome trend: Malicious actors have begun to fully exploit the fact that POS systems are simply another type of computer, making them the ideal platform for data-stealing infections. Tod Beardsley, of security firm Rapid7, told Infosecurity Magazine to think of it this way: “If a device has a USB slot, has an Ethernet port or is on a wireless network, then it is possible to attack it and alter it.”

It’s also worth noting that the malware creators have taken the time to disguise their process with a familiar name. When installed, MalumPOS claims to be an “Nvidia Display Driver” or “Driv3r,” making it seem like a harmless background process. Even though POS systems require no graphics hardware or drivers from Nvidia, the popular name and seemingly innocuous nature are often enough to dampen any suspicions.

As Infosecurity Magazine pointed out, even if Malum doens’t get reconfigured anytime soon, its reach is already substantial. In addition to Oracle MICROS, the malware also goes after Oracle Forms, Shift4 systems and several others accessed via Internet Explorer. In other words, there’s real potential here for a massive credit card compromise. Fortunately, Trend Micro has a MalumPOS Technical Brief with key malware indicators, along with a YARA rule for endpoint software, giving infected companies the chance to track down this unwelcome guest and not-so-politely show it the door.

POS systems remain a high-value target for malicious actors. MalumPOS is the next iteration of this malware class, able to easily change configurations and hide itself in plain sight. Hospitality companies running MICROS need to be on alert; not every guest is in town for the great views or spectacular food — some prefer to dine, dash and then distribute credit card data.

More from

Government cybersecurity in 2025: Former Principal Deputy National Cyber Director weighs in

4 min read - As 2024 comes to an end, it’s time to look ahead to the state of public cybersecurity in 2025.The good news is this: Cybersecurity will be an ongoing concern for the government regardless of the party in power, as many current cybersecurity initiatives are bipartisan. But what will government cybersecurity look like in 2025?Will the country be better off than they are today? What are the positive signs that could signal a good year for national cybersecurity? And what threats should…

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

2024 trends: Were they accurate?

4 min read - The new year always kicks off with a flood of prediction articles; then, 12 months later, our newsfeed is filled with wrap-up articles. But we are often left to wonder if experts got it right in January about how the year would unfold. As we close out 2024, let’s take a moment to go back and see if the crystal balls were working about how the year would play out in cybersecurity.Here are five trends that were often predicted for…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today