Unwelcome Guest: New MalumPOS Causes Headaches for Hospitality Sector

Businesses in the hospitality sector may get an unexpected — and unwelcome — guest thanks to the newly discovered MalumPOS malware. According to Trend Micro, the data-stealing tool is targeting hotels, restaurants and a number of large retail chains. Upon check-in, the malware sets up shop and starts scanning for credit card data, then exfiltratres this information for cloning or use in fraudulent online purchases. Here’s what researchers know so far.

Big Numbers for MalumPOS

Right now, this malware tool is after any company running Oracle’s MICROS platform, which amounts to 330,000 businesses worldwide. While Trend didn’t go into detail on the original threat vector or installation method of MalumPOS, they were up-front about the results: Malum is a point-of-sale (POS) ROM scraper able to grab credit data any time magnetic stripes are swiped through a card reader. Information such as the cardholder’s name and account number are up for grabs, and the malware is able to scan for all cards with equal facility.

And it gets worse. As noted by ZDNet, the Delphi-coded tool is configurable, meaning it won’t stay confined to Oracle systems for long. With just a little tweaking, it’s possible to infect almost any other POS system. According to Trend Micro, malicious actors could “configure MalumPOS to include Radiant or NCR Counterpoint POS systems to its target list,” exposing multiple industries to this new risk.

Reading the Market

This new malware points to a worrisome trend: Malicious actors have begun to fully exploit the fact that POS systems are simply another type of computer, making them the ideal platform for data-stealing infections. Tod Beardsley, of security firm Rapid7, told Infosecurity Magazine to think of it this way: “If a device has a USB slot, has an Ethernet port or is on a wireless network, then it is possible to attack it and alter it.”

It’s also worth noting that the malware creators have taken the time to disguise their process with a familiar name. When installed, MalumPOS claims to be an “Nvidia Display Driver” or “Driv3r,” making it seem like a harmless background process. Even though POS systems require no graphics hardware or drivers from Nvidia, the popular name and seemingly innocuous nature are often enough to dampen any suspicions.

As Infosecurity Magazine pointed out, even if Malum doens’t get reconfigured anytime soon, its reach is already substantial. In addition to Oracle MICROS, the malware also goes after Oracle Forms, Shift4 systems and several others accessed via Internet Explorer. In other words, there’s real potential here for a massive credit card compromise. Fortunately, Trend Micro has a MalumPOS Technical Brief with key malware indicators, along with a YARA rule for endpoint software, giving infected companies the chance to track down this unwelcome guest and not-so-politely show it the door.

POS systems remain a high-value target for malicious actors. MalumPOS is the next iteration of this malware class, able to easily change configurations and hide itself in plain sight. Hospitality companies running MICROS need to be on alert; not every guest is in town for the great views or spectacular food — some prefer to dine, dash and then distribute credit card data.

Contributor'photo

Douglas Bonderud

Freelance Writer

A freelance writer for three years, Doug Bonderud is a Western Canadian with expertise in the fields of technology and...