RtPOS is a Point-of-Sale (PoS) data-scrapper that has been established to be a relatively unique threat that is not part of any existing malware family. The threat's name was derived from a debug path found in the sample analyzed by infosec researchers.
After analyzing the code, it was revealed that RtPOS is a relatively unsophisticated threat when compared to more advanced credit card scrapers out there. It accepts only two arguments - /install and /remove that are responsible for the installation process and the removal of the threat from the targeted device. As a basic form of obfuscation, the malware pretends to be a 'Windows Logon Service.'
Once inside the compromised system, RtPOS begins its threatening activity by obtaining a list of the device's processes through CreateToolhelp32Snapshot. It then begins to iterate on the list by using Process32FirstW. Finally, it accesses the RAM by exploiting the ReadProcessMemory function. Collecting data from the targeted system's memory is a common goal for most card scrapers, as this is the place where card data is stored and processed before any encryption has been applied to it. When a card number is found, RtPOS validates it through the use of a Luhn Algorithm. All acquired data is stored in a DAT file named 'sql8514.dat' created by the malware in the '\Windows\SysWOW64 folder.'
As we said earlier, RtPOS lack several functions present in more mature threats of its type. For example, it cannot exfiltrate the collected data by itself. This could be a deliberate choice to reduce the amount of attention that the threat could generate, resulting in a longer presence on the compromised device and an increased total of scrapped data. It also could signal that the hackers have a stable access point to the target's network.