⚠️ Overview

RawPOS is a point-of-sale (POS) memory scraper malware first identified in 2012 by security researchers, primarily targeting the hospitality and retail sectors to steal payment card data from RAM on POS terminals. It is categorized as a POS malware and information stealer, operated by financially motivated threat actors, including groups linked to the Carbanak and Fin7 (Carbanak) criminal enterprise, as documented in MITRE ATT&CK entry S0482.

🔧 Technical Capabilities

RawPOS employs memory scraping to capture track 1 and track 2 magnetic stripe data from payment card processing applications, leveraging API hooking or direct memory reading via ReadProcessMemory (MITRE ATT&CK T1565.001). It uses a modular architecture with plugins for logging keystrokes, capturing screenshots, and exfiltrating data over HTTP/HTTPS to command-and-control (C2) servers. Persistence is achieved through registry run keys and scheduled tasks, while evasion includes obfuscation of strings and anti-debugging via IsDebuggerPresent checks. Propagation occurs through spear-phishing emails with malicious attachments or lateral movement using PsExec and WMI (T1047).

📜 History & Notable Incidents

RawPOS was publicly documented in 2015 after attacks on several U.S. hotel chains, including the Hyatt and Starwood brands, leading to the compromise of over 50,000 payment cards. The malware has been associated with the Carbanak syndicate, which stole over $1 billion globally before law enforcement actions in 2018 (Operation Lyrebird). No specific CVEs are tied to RawPOS itself, but it exploits weak POS system configurations and unpatched Windows vulnerabilities like MS17-010 (EternalBlue) for lateral movement.

🔍 Detection Indicators

Indicators of compromise (IOCs) include mutex names such as RawPOS_Mutex and file hashes (MD5: a3f5c2d1e4b6... as reported by FireEye). Network signatures involve HTTP POST requests to C2 domains with User-Agent strings containing Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 and traffic to IP addresses associated with Russian-hosted bulletproof hosting. Registry persistence under HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun with values like RawPOS.exe.

☠️ Risk & Impact

RawPOS enables attackers to exfiltrate live payment card data, leading to financial fraud and reputational damage for affected businesses. The hospitality sector has suffered the highest impact, with losses estimated in the tens of millions of dollars per incident, including remediation costs, card reissuance, and legal fines under PCI DSS non-compliance.

🛡️ Mitigation

Mitigation strategies include segmenting POS networks from corporate IT, implementing application whitelisting, and deploying endpoint detection rules (e.g., Sysmon logs for ReadProcessMemory calls). Regular patching of Windows systems (especially MS17-010) and use of anti-memory-scraping solutions like EMET or Microsoft Defender for Endpoint are recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.