A threat actor recently introduced a new Point of Sale (POS) malware called “ShadowPOS” on a well-known cybercrime forum. Still under development, the malware is marketed as an advanced tool designed to infiltrate POS systems, steal unencrypted credit card data, and send it to a command and control (C2) server.
Stealth and Persistence Features
The creator of ShadowPOS describes it as both highly persistent and stealthy. It scans memory at regular intervals and uploads stolen data to its C2 server. By running as a single-threaded process, the malware minimizes system resource usage, making it harder to detect.
Advanced Scanning Capabilities
ShadowPOS uses a complex algorithm that efficiently locates and verifies card data. It relies on Google’s RE2 regular expressions engine to perform high-speed memory scanning across all processes on targeted Windows-based POS systems. Unlike other POS malware, ShadowPOS scans all running processes on a terminal, significantly increasing its chances of success.
Command & Control Panel
The developer is also working on a Command & Control panel, which will allow users to manage and query stolen card data. This panel aims to streamline inventory management for those looking to sell or use the compromised information.
Exclusive Pre-Sale Offer
The threat actor is offering ShadowPOS for pre-sale with a promise of exclusivity. If purchased, the malware will not be sold as a service to others. The seller also offers to customize the malware according to the buyer’s needs.
Compliance with Forum Rules
The seller has pre-approved the post with the forum’s staff to ensure it complies with the site’s rules, which prohibit the sale of credit card information and ransomware-related tools. The seller emphasizes that the malware is not intended for ransomware attacks and does not come with any stolen card data.
The introduction of ShadowPOS highlights the ongoing evolution of cyber threats targeting businesses. Organizations must strengthen their security measures, including the encryption of card data and regular monitoring for unusual activity, to mitigate the risks posed by this and similar malware.