NewPosThings

POS Malware

⚠️ Overview

NewPosThings is a point-of-sale (POS) memory-scraping malware first documented by researchers at Trend Micro in 2016, originally detected targeting hospitality and retail businesses in the Asia-Pacific region before expanding globally. It belongs to the broader POS malware family, which includes variants like Alina and BlackPOS, and is primarily used for stealing credit card data from compromised point-of-sale terminals, classifying it as a credit card stealer and information-stealing malware.

🔧 Technical Capabilities

NewPosThings scrapes unencrypted cardholder data from process memory (specifically from Track 1 and Track 2 magnetic stripe data) on POS terminals running Windows, using a custom memory-scraping module that targets the upos.dll library commonly used by POS applications. It achieves initial infection via phishing emails with malicious attachments, drive-by downloads, or exploiting weak remote desktop protocol (RDP) credentials, and does not self-propagate, relying instead on manual distribution or droppers. Once on a system, it establishes persistence through registry run keys (e.g., HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun), and uses obfuscation techniques such as custom encryption of its configuration strings to evade signature-based detection. For command and control (C2) communication, it typically uses HTTP POST requests to hardcoded IP addresses or domain names, exfiltrating stolen card data in encrypted payloads to remote servers, often hosted on bulletproof hosting providers.

📜 History & Notable Incidents

NewPosThings was first identified in December 2016 in a campaign targeting hotels and restaurants in Malaysia, according to the Trend Micro report "NewPOSThings: A Point-of-Sale Malware with a Nasty New Trick" (2016). The malware was linked to the same threat actor behind the POS malware Punkey, and neither a specific CVE nor a single high-profile breach was attributed solely to this family; however, it contributed to a broader wave of POS breaches affecting mid-sized retailers in 2017–2018. No law enforcement actions have been publicly tied to this specific malware family, but its infrastructure was often taken offline alongside broader takedowns of bulletproof hosting services.

🔍 Detection Indicators

Indicators of compromise (IOCs) include the presence of files named svchost.exe or csrss.exe in non-standard directories (e.g., %APPDATA%), and registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun containing values pointing to these executables. Network IOCs include outbound HTTP POST requests to domains such as royalpalacehotel.net or IP addresses associated with Asian bulletproof hosting, and the User-Agent string Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 may be used. Known file hashes from Trend Micro's analysis include SHA-256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (noted as a test sample), but specific hashes vary widely; behavioral signatures include POS process memory scans and high CPU usage during scraping.

☠️ Risk & Impact

The primary damage caused by NewPosThings is the exfiltration of credit card data (Track 1 and Track 2 magnetic stripe data), which can lead to direct financial fraud, card cloning, and reputational harm for affected merchants. Affected sectors include retail, hospitality (hotels and restaurants), and entertainment venues—any business using Windows-based POS terminals. Financial losses from a single breached POS terminal can range from tens of thousands to millions of dollars if the card data is sold on underground markets.

🛡️ Mitigation

Recommended defenses include applying the principle of least privilege to POS terminals, enabling application whitelisting, using endpoint detection and response (EDR) tools with behavioral monitoring for memory scraping, and implementing network segmentation to isolate POS systems from internet-facing services. Patches for known RDP vulnerabilities (e.g., CVE-2016-3309) and enforcing multi-factor authentication on remote access are critical. Security teams should deploy Yara rules that detect the memory-scraping patterns and monitor for IOCs from Trend Micro's "NewPOSThings" report.

⚠️

Malware Families Commonly Operate Through Automated Botnets

Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.

Check My Site for Free

Free to start  ·  Cancel anytime

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.