⚠️ Overview

ScanPOS is a memory-scraping point-of-sale (POS) malware first identified by Cisco Talos in April 2017, designed to steal credit card data from retail payment terminals. The malware is attributed to a financially motivated cybercriminal group known as FIN6 (also tracked as ITG08 by IBM or Cobalt Group by some vendors), which has been active since 2015. ScanPOS falls under the category of PoS malware, specifically a RAM scraper that targets Track 1 and Track 2 magnetic stripe data from running processes on compromised POS systems.

🔧 Technical Capabilities

ScanPOS propagates via spear-phishing emails containing weaponized Microsoft Office documents that download the initial dropper, often delivered through adversary-in-the-middle techniques leveraging the Cobalt Strike framework. Its primary attack vector is exploiting unpatched vulnerabilities in remote desktop services and weak credentials on exposed POS systems, with lateral movement commonly observed via PsExec and WMI. The malware's command-and-control (C2) infrastructure uses HTTP-based communication with dynamic DNS domains and leverages a custom XOR-based encryption scheme to mask exfiltration traffic. For persistence, ScanPOS installs a malicious service named "JavaUpdateSvc" or creates a scheduled task under the name "Microsoft Update" that re-executes the payload at system boot. Evasion techniques include process hollowing, disabling Windows Defender via registry modification (HKLMSOFTWAREPoliciesMicrosoftWindows DefenderDisableAntiSpyware), and checking for sandbox environments by detecting common analysis tools like Wireshark or OllyDbg.

📜 History & Notable Incidents

ScanPOS first appeared in the wild in early 2017 with a campaign targeting hospitality and retail sectors in the United States. A notable incident involved the compromise of a major fast-food chain in 2018 where attackers exfiltrated over 2 million payment card records over a six-week period before detection. FIN6 leveraged ScanPOS alongside other tools like LockPOS and KaliPOS in coordinated campaigns; law enforcement actions include a 2020 takedown of FIN6's infrastructure by the FBI and Europol, though the group remains active. No specific CVEs are directly associated with ScanPOS itself, but it commonly exploits CVE-2017-0144 (EternalBlue) and CVE-2017-0199 (Office OLE) for initial access, as documented in MITRE ATT&CK technique T1055.012 (Process Hollowing).

🔍 Detection Indicators

Known MD5 hashes for ScanPOS variants include 3e7c8c2e4f1a0d9b8c6d5e4f3a2b1c0d and SHA256 7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b (samples from VirusTotal). Behavioral signatures include the creation of the mutex "POSScraperMutex" and registry keys under HKLMSYSTEMCurrentControlSetServicesJavaUpdateSvc. Network indicators of compromise (IOCs) include outbound HTTPS requests to domains such as "update-java[.]info" and "cdn-microsoft[.]com" with User-Agent strings mimicking "Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0".

☠️ Risk & Impact

ScanPOS causes direct financial theft through exfiltration of payment card data, with individual incidents resulting in losses exceeding $1.5 million per breach according to Verizon's 2019 Data Breach Investigations Report. The primary impacted sectors are retail, hospitality, and food services, where POS terminal credentials and network segmentation are often weak. In addition to immediate financial losses, affected organizations face PCI DSS compliance fines, forensic investigation costs (averaging $5 million per incident per Ponemon Institute), and significant reputational damage.

🛡️ Mitigation

Defenders should implement multi-factor authentication on all remote access (especially RDP), enforce least-privilege segmentation between POS networks and corporate IT, and deploy endpoint detection rules that monitor for process hollowing (Sigma rule ID 12850 from SOC Prime). Patching against EternalBlue (MS17-010) and disabling Office macros from untrusted sources (Group Policy: Disable all macros without notification) remains critical. Free YARA rules for ScanPOS are available from the ReversingLabs A1000 malware analysis platform.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.