PwnPOS

PwnPOS is Point-of-Sale (PoS) card scraper malware that, according to the researcher who discovered it, has managed to remain undetected for over seven years thanks to its relatively simple structure. PwnPOS consists of two modules - one is responsible for scraping the compromised system's memory, while the other performs the exfiltration of the collected data. It should be observed that the threat can operate only on 32-bit systems. At first glance, this may sound like a rather significant obstacle for the hackers' threatening plans because, in the current landscape, most sectors have switched to using 64-bit systems. Point-of-sale infrastructure doesn't necessarily need an update to function optimally, though many are still using Windows XP or Windows 7.

So far, PwnPOS operations have been detected to be deploying additional POS malware such as BlackPOS and Alina. As for the geographical spread of the detected victims, no concrete region could be determined as targets have been found on several different continents - from Japan To Germany and Romania, the U.S. and Canada, also Australia and India.

By default, PwnPOS will install itself at '%SystemRoot%\system32\wnhelp.exe.' It will then pretend to be a 'Windows Media Help' service and proceed to execute itself through the '-service' switch. Through additional arguments, the threat can either add or remove itself from the list of processes, which results in a certain state of persistence on the compromised system.

The data scraping process is carried by enumerating the list of running processes by PwnPOS granting itself 'SeDebugPrivilege' permission. Any suitable string is validated through the use of the Luhn algorithm before being stored in a DAT file named 'perf419.dat.' All the information from the file can then be taken and exfiltrated by either one of two different binaries.