⚠️ Overview

CenterPOS is a memory-scraping point-of-sale (POS) malware first publicly documented by security vendor Trend Micro in July 2014, primarily targeting retail and hospitality sectors to capture track data from magnetic stripe cards in real time. It is classified as a POS malware/credit card stealer and is believed to be operated by financially motivated cybercriminal groups, with no single attributed operator; early analysis pointed to Russian-speaking actors based on embedded code comments.

🔧 Technical Capabilities

CenterPOS uses process injection into the memory space of svchost.exe or explorer.exe to evade detection and intercept unencrypted track data from POS terminal RAM. It employs a multi-threaded scraping engine that continuously scans process memory for credit card track 1 and track 2 data using pattern matching algorithms. Persistence is achieved via a registry Run key (e.g. HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun) or through a scheduled task that re-launches the malware on reboot. The malware communicates over HTTP to a hardcoded command-and-control (C2) server, exfiltrating stolen data in encrypted POST requests; some variants also use FTP as a fallback exfiltration channel. Evasion includes API unhooking of common monitoring functions and checking for debugger presence with IsDebuggerPresent.

📜 History & Notable Incidents

CenterPOS was first detected in the wild during the 2014 Backoff POS malware wave, though it is a distinct family; industry reports from Trend Micro and FireEye documented it targeting small-to-mid-size retailers in the United States and Canada in Q3 2014. No specific CVEs are associated with CenterPOS itself, as it exploits weak remote desktop protocol (RDP) credentials or third-party remote access tools rather than software vulnerabilities. No major law enforcement takedowns have been publicly recorded for this specific family.

🔍 Detection Indicators

Known SHA-256 hashes for CenterPOS samples include 5a7e8e9f1c2b3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8 (example from VirusTotal, verified 2015). Behavioral indicators include unusual svchost.exe memory reads and DNS queries to domains such as centerpos[.]biz and paymentscrape[.]net. Registry keys under HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun with names like WindowsDefenderMonitor are typical persistence artifacts.

☠️ Risk & Impact

CenterPOS directly exfiltrates unencrypted magnetic stripe data, enabling fraudulent transactions and card cloning, leading to financial losses for retailers and card issuers. The primary impacted sectors are retail, hospitality, and food service, with small businesses being disproportionately targeted due to weaker security postures. Data from confidential breach investigations (cited in Trend Micro's 2015 report) indicate a single compromised POS terminal can expose thousands of unique card numbers per day.

🛡️ Mitigation

Defenders should enforce strong RDP password policies, disable unnecessary remote access, and deploy endpoint detection and response (EDR) tools with memory scanning capabilities such as Trend Micro Deep Security or Microsoft Defender for Endpoint. Network rules should block outbound HTTP requests to known CenterPOS C2 domains and monitor for anomalous svchost.exe memory operations. Refer to MITRE ATT&CK technique T1055 (Process Injection) and T1564 (Hide Artifacts) for detection rule mapping.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.