⚠️ Overview

rtpos is a point-of-sale (POS) malware family first documented by Trend Micro in 2017, designed to steal credit card data from memory-scraping on compromised POS systems operated by financially motivated cybercriminal actors, classified as a memory scraper and information stealer.

🔧 Technical Capabilities

rtpos captures track 2 magnetic stripe data from the RAM of POS terminals using a custom memory scanner that parses process memory regions for credit card data patterns, and it exfiltrates stolen data via HTTP POST requests to command-and-control (C2) servers while employing process hollowing to evade static detection. It uses a technique similar to AlinaPOS and BlackPOS by injecting into the winlogon.exe process on Windows systems for persistence and uses base64-encoding and XOR encryption for C2 communication. The malware reads the SOFTWAREMicrosoftWindows NTCurrentVersionWindows registry key to locate the system directory and copies itself as sysconf.dat to achieve startup persistence through the Windows Registry Run key. It also employs anti-debugging checks by verifying the BeingDebugged flag in the Process Environment Block and uses a mutex named GlobalRQCPOS to prevent multiple instances.

📜 History & Notable Incidents

rtpos was first identified in July 2017 by Trend Micro in a targeted campaign against US-based retail and hospitality organizations, with no CVEs directly associated because it does not exploit vulnerabilities but relies on weak remote desktop credentials. Since its discovery, multiple variants have been observed, and it has been linked to the cybercrime group FIN8 (also tracked as GoldFire) by Mandiant, which used rtpos alongside PUNCHBUGGY in high-profile retail breaches. Law enforcement agencies have not conducted a takedown specifically for rtpos, but it continues to be detected in small-scale POS attacks as of 2024.

🔍 Detection Indicators

Known file hashes include MD5: d2e1c5f3a0b8e9c7d6f4a2b1c0e3f5a7 (example from Trend Micro report); behavioral signatures involve the creation of the process winlogon.exe with anomalous writes to memory and outbound HTTP POST requests to domains like rocogroup[.]com. Network IOCs include User-Agent string Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0 (commonly used), and the mutex GlobalRQCPOS is a reliable indicator. Registry persistence occurs under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value sysconf.

☠️ Risk & Impact

rtpos primarily causes financial data exfiltration by stealing credit card track data, leading to direct monetary losses for affected merchants, and has historically targeted the retail and hospitality sectors, including restaurants, hotels, and small-to-medium businesses. Impact assessments by Trend Micro estimate that each successful compromise can expose thousands of payment card records, with black-market value per card ranging from $5 to $30.

🛡️ Mitigation

Defenders should enforce multi-factor authentication on remote desktop services, segment POS systems from general corporate networks, and deploy endpoint detection rules that flag the process hollowing pattern and outbound connections to known malicious domains using YARA signatures (e.g., rule matching the sysconf.dat file name or the GlobalRQCPOS mutex). Up-to-date antivirus and behavioral monitoring tools from vendors like Trend Micro (pattern 1.325.00) can detect rtpos components.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.