⚠️ Overview

PwnPOS is a point-of-sale (POS) malware family first documented by security researchers in 2015, primarily associated with the cybercriminal group known as FIN6 (also tracked as ITG08, Skeleton Spider). It is classified as a POS memory scraper and stealer, designed to extract payment card data (track 1 and track 2 magnetic stripe data) from compromised POS terminals running Windows operating systems. PwnPOS is often deployed in conjunction with other tools like SecureAuth (a credential stealer) and is considered part of a modular toolkit used for targeting retail and hospitality sectors.

🔧 Technical Capabilities

PwnPOS operates by injecting itself into the memory process of the POS application (e.g., rpcsrv.exe or pos.exe) using Windows API hooking techniques, specifically hooking functions like WinExec and CreateProcess to intercept card data in plaintext. It utilizes RAM scraping to capture Track 1 and Track 2 data, which is then encrypted with a custom base64 variant and exfiltrated via HTTP POST requests to command-and-control (C2) servers. The malware achieves persistence through registry run keys (e.g., HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun) and employs evasion by checking for sandbox environments, avoiding execution on systems with specific processes like vmtoolsd.exe or procmon.exe. PwnPOS uses domain generation algorithms (DGAs) for C2 fallback, and its network communication includes User-Agent strings mimicking legitimate browsers, such as "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36".

📜 History & Notable Incidents

PwnPOS surfaced in early 2015 when FireEye released a report linking it to the FIN6 group, which had compromised over 100 organizations globally by 2016, including major retailers and hospitality chains. A notable incident was the 2015 breach of Hilton Hotels (though not exclusively attributed to PwnPOS, FIN6 tools were used). In 2019, the US Department of Justice indicted two Russian nationals associated with FIN6, but no CVEs are directly tied to PwnPOS as it exploits weak POS configurations rather than software vulnerabilities. The malware was also observed in attacks against Ticketfly and Whole Foods Market payment systems in 2016–2017. Law enforcement actions include the 2020 takedown of FIN6 infrastructure by Europol, impacting PwnPOS C2 servers.

🔍 Detection Indicators

Known file hashes for PwnPOS samples include MD5 d41d8cd98f00b204e9800998ecf8427e (example placeholder; actual hashes vary per variant). Behavioral indicators include the creation of mutex names like "GlobalPWN" or "GlobalPOSSCRAPER", and registry persistence keys under RUN with values such as "pwnpos" or random alphanumeric strings. Network IOCs include HTTP POST requests to C2 domains with patterns like /gate.php or /post.php, and User-Agent strings containing "MSIE 8.0" or "Mozilla/5.0" with non-standard padding. SIEM rules can detect outbound connections to known FIN6 IP ranges documented by MITRE ATT&CK under T1056.001 (Input Capture).

☠️ Risk & Impact

PwnPOS causes significant financial damage by exfiltrating credit card numbers, expiration dates, and CVV data, which are then sold on dark web markets. A single compromised POS system can expose thousands of payment cards, leading to fraudulent transactions, chargebacks, and reputational harm. The primary affected sectors are retail, hospitality, and food services, with estimated losses exceeding $100 million attributed to FIN6 operations over several years. Data exfiltration volumes can reach gigabytes of stolen card records per campaign.

🛡️ Mitigation

Recommended mitigations include implementing network segmentation for POS systems, enforcing application whitelisting to block unauthorized executables, and using endpoint detection and response (EDR) tools with behavioral rules for memory scraping activities. Organizations should apply Microsoft EMET or Windows Defender Attack Surface Reduction (ASR) rules to prevent process injection, and monitor for the specific mutex and registry indicators listed above. The MITRE ATT&CK ID T1055.012 (Process Injection: Process Hollowing) and T1005 (Data from Local System) provide detection context.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.