Since 2008, RawPOS has menaced hotels and retail chains, stealing hundreds of thousands of financial records across dozens of companies. There’s an excellent reason for the persistence of RawPOS over the last eight years, during a time when innumerable other malware variants have grown and flourished and died—stealth. RawPOS has been known to sit undetected on an endpoint for up to a year, harvesting credit card data all the while. How does RawPOS manage to evade signature detection and virus scans for such a long time? More importantly, how have the creators of RawPOS managed to keep ahead of security researchers for the better part of a decade?
Here’s what separates RawPOS (and related malware variants) from other kinds of programs that may live on your computer—persistence. Apart from the fact that malware steals your data, malicious software starts and stops itself without user interaction. Other, more legitimate software, has a very limited ability to do that.
Persistence Makes Perfect
Microsoft Word, for example, doesn’t start itself and begin writing documents on its own every time you boot up your computer, but malware accomplishes a similar process. Some programs, like Skype, might start themselves every time you sign into Windows. You most likely ticked a box when you installed Skype, however, and specifically permitted Skype to start up every time you logged on. That’s what malware needs to accomplish: a persistence mechanism that allows it to boot itself up and run every time the computer is activated.
RawPOS has an especially good persistence mechanism. It creates itself as a Windows service—a process that runs in the background of a computer. It also gives that service a name: Microsoft File Manager Services. Based on the name and its accompanying description, RawPOS essentially disguises itself as a critical Windows component, and one that no unfamiliar IT administrator would ever think of deleting. More to the point, as of 2016, fewer than half of the AV services listed on VirusTotal recognize this component of RawPOS as a threat.
Has RawPOS Claimed Another Victim?
The news doesn’t get that much better. The other separate components of RawPOS are responsible for scraping POS data from RAM, and encrypting that data for later retrieval. Currently, zero and fifteen AV solutions are able to detect these components, respectively. It’s this kind of stealthiness that has allowed RawPOS to steal hundreds of thousands of customer records from companies such as Goodwill.
The makers have RawPOS may shortly be able to claim a similar coup. When we last checked in on the Wendys POS breach, the chain had reported a breach that went on from Fall of 2015 to Spring of 2016, affecting 300 stores. That’s bad enough as it is, but recent disclosures from the fast food chain seem to indicate that the rot went deeper than they initially let on.
A new report from Wendy’s suggests that the initial number of 300 infected franchises is far lower that their initial assessment suggested. Furthermore, they’ve characterized the malware responsible as, “highly sophisticated in nature and extremely difficult to detect.” Sound familiar?
Although Wendy’s has declined to comment on the exact strain (or strains) that have infected its franchise locations, we wouldn’t be surprised if it’s either RawPOS itself, or pulls from the same bag of tricks. Either way, the success of this malicious program completely undermines the credibility of signature-based antivirus software, which in the best-case scenario has less than a fifty-percent success rate against RawPOS.
As an industry, we can do better. Want to learn how Next Generation Endpoint Protection can stop malware variants that other products can’t detect? Find out what solution is best for you with our Next Generation Endpoint Protection Buyer’s Guide, and enjoy complete protection from POS malware, ransomware, and more.