ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool RtPOS

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: RtPOS

NamesRtPOS
CategoryMalware
TypePOS malware, Reconnaissance, Backdoor, Credential stealer
Description(Booz Allen) RtPOS is unique in comparison to other fully featured POS malware like Project Hook and TreasureHunter, in that it has no native exfiltration capability. While other POS malware families are perfectly capable of sending captured Track1 and Track2 data to a C2 server, RtPOS merely saves the data locally. As this activity is similar to some POS utilities, this is likely intended to reduce the network activity footprint of RtPOS and ensure the malware remains undetected for longer, thus earning the controllers a healthier profit. The RtPOS malware is also simplistic in features, largely automated in operation, and lacks many of the features that more mature POS malware families do.

The lack of a network exfiltration feature, interaction and user commands, as well as a dropper component hints at more serious implications: in order for RtPOS to execute and in order to retrieve the captured payment card data, the attackers would have existing access to the victim’s machine(s). RtPOS may simply be an in-development POS malware family, though review and analysis suggests RtPOS is a post-compromise tool instead of a standalone malware, and may even be part of a larger, heretofore unidentified tool set.
Information<https://www.boozallen.com/c/insight/blog/new-point-of-sale-malware-family-uncovered.html>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/win.rtpos>
AlienVault OTX<https://otx.alienvault.com/browse/pulses?q=tag:RtPOS>

Last change to this tool card: 25 May 2020

Download this tool card in JSON format

Previous: RTM
Next: Rubeus

All groups using tool RtPOS

ChangedNameCountryObserved

Unknown groups

X_[ Interesting malware not linked to an actor yet ]_ 

1 group listed (0 APT, 0 other, 1 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key