Despite being one of the oldest Point-of-Sale (PoS) RAM scraper malware families out in the wild, RawPOS (detected by Trend Micro as TSPY_RAWPOS) is still very active today, with the threat actors behind it primarily focusing on the lucrative multibillion-dollar hospitality industry. While the threat actor’s tools for lateral movement, as well as RawPOS’ components, remain consistent, new behavior from the malware puts its victims at greater risk via potential identity theft. Specifically, this new behavior involves RawPOS stealing the driver’s license information from the user to aid in the threat group’s malicious activities.



Figure 1: PoS RAM scraper families from 2009 to 2014

How RawPOS finds credit card track data in memory

Traditionally, PoS threats look for credit card mag stripe data and use other components such as keyloggers and backdoors to get other valuable information. RawPOS attempts to gather both in one go, cleverly modifying the regex string to capture the needed data.

Regular expressions is one of the oldest methods of pattern matching, and RawPOS scans processes for strings that look like the data that is stored in the magnetic stripe in order to find “track data”-like strings in memory. Here is one old example:

((B(([0-9]{13,16})|([0-9]|s){13,25})\^[A-Z\s0-9]{0,30}\/[A-Z\s0-9]{0,30}\^(0[7-9]|1[0-5])((0[1-9])|(1[0-2]))([0-9]|\s){3,50})|([0-9]{15,16}=(0[7-9]|1[0-5])((0[1-9])|(1[0-2]))[0-9]{8,30}))



Figure 2: Sample regular expression used to match track data

(Diagram via Regexper, created by Jeff Avallone; licensed under CC BY 3.0)

This translates to:

Track 1 %B{credit card number}^{last name}\{first name}^{expiration year}{expiration month}{service code and other data} Track 2 ;{credit card number}={expiration year}{expiration month}{service code and other data}

Once the pattern is matched, the memory dumper dumps process memory for a file scraper to organize the data. Typically, both the memory dump and the file scraper would have the same regular expression definition.

What’s new with RawPOS?

The table below shows how RawPOS pattern matching has changed over the years.

2008 ((B(([0-9]{13,16})|([0-9]|s){13,25})\^[A-Z\s0-9]{0,30}\/[A-Z\s0-9]{0,30}\^(0[7-9]|1[0-5])((0[1-9])|(1[0-2]))([0-9]|\s){3,50})|([0-9]{15,16}=(0[7-9]|1[0-5])((0[1-9])|(1[0-2]))[0-9]{8,30})) 2009-2014 ((B(([0-9]{13,16})|([0-9]|\s){13,25})\^[A-Z\s0-9]{0,30}\/[A-Z\s0-9]{0,30}\^(0[7-9]|1[0-5])((0[1-9])|(1[0-2]))([0-9]|\s){3,50})|([0-9]{15,16}([A-Z]|=)(0[7-9]|1[0-5])((0[1-9])|(1[0-2]))[0-9]{8,30})|(<Field name=”CardNumber”>[0-9]{15,19}</Field>)|(~CCM[0-9]{15,19}D[0-9]{4}~)) 2014-2015 ((B(([0-9]{13,16})|([0-9]|\s){13,25})\^[A-Z\s0-9]{0,30}\/[A-Z\s0-9]{0,30}\^[0-9]{2}((0[1-9])|(1[0-2]))([0-9]|\s){3,50})|([0-9]{15,16}(D|=)[0-9]{2}((0[1-9])|(1[0-2]))[0-9]{8,30})|(<Field name=”CardNumber”>[0-9]{15,19}</Field>)|(~CCM[0-9]{15,19}D[0-9]{4}~)) 2015 ((<Field name=”CardNumber”>[0-9]{15,19}</Field>)|(B(([0-9]{13,16})|([0-9]|\s){13,25})\^[A-Z\s0-9]{0,30}\/[A-Z\s0-9]{0,30}\^[0-9]{2}((0[1-9])|(1[0-2]))([0-9]|\s){3,50})|([0-9]{15,16}(D|=)[0-9]{2}((0[1-9])|(1[0-2]))[0-9]{8,30})) 2016 ((<Field name=”CardNumber”>[0-9]{15,19}</Field>)|(B(([0-9]{13,16})|([0-9]|\s){13,25})\^[A-Z\s0-9]{0,30}\/[A-Z\s0-9]{0,30}\^[0-9]{2}((0[1-9])|(1[0-2]))([0-9]|\s){3,50})|([3-7][0-9]{14,15}(D|=)[0-9]{2}((0[1-9])|(1[0-2]))[0-9]{8,30})) 2016-2017 ((B(([0-9]{13,16})|([0-9]|\s){13,25})\^[A-Z\s0-9]{0,30}\/[A-Z\s0-9]{0,30}\^[0-9]{2}((0[1-9])|(1[0-2]))([0-9]|\s){3,50})|([0-9]{15,16}(D|=)[0-9]{2}((0[1-9])|(1[0-2]))[0-9]{8,30})|(ANSI\s636[0-9]{5,10}[\s\w]{10,500})) OR ((<Field name=”CardNumber”>[0-9]{15,19}</Field>)|(B(([0-9]{13,16})|([0-9]|\s){13,25})\^[A-Z\s0-9]{0,30}\/[A-Z\s0-9]{0,30}\^[0-9]{2}((0[1-9])|(1[0-2]))([0-9]|\s){3,50})|([0-9]{15,16}(D|=)[0-9]{2}((0[1-9])|(1[0-2]))[0-9]{8,30})|(ANSI\s636[0-9]{5,10})|([Dd]rivers.[Ll]icense))

The first few years were nearly identical, with only a few minor additions. However, starting in 2016, we noticed something rather different. Here’s a closer look:



Figure 3: Sample regular expression matching in newer files, like sha256

d931c76219c042cc9f9b50e1c50b678cefb10431683e4e9f9afde9b06a32dafe

(Diagram via Regexper, created by Jeff Avallone; licensed under CC BY 3.0)



The first 3 lines are for credit card details and the “Drivers” and “License” strings are giveaways, but what about the string “ANSI 636”?

As it turns out, this is defined in the 2013 North American AAMVA DL/ID Card Design Standard which outlines a mandatory PDF417 bar code to aid in “identity and age verification, automation of administrative processing, and address verification“. PDF417, a machine-readable 2-dimentional bar code, is a separate standard by itself.

The numbers “636” are the initial digits of the Issuer Identification Number (IIN) for most US states, which tells us that the data of interest here is the driver’s license information within the United States. The Information stored in each license varies per state, but the bar code mostly contains the same information present in each individual driver’s license or state ID – specifically: full name, date of birth, full address, gender, height, even hair and eye color.

ANSI 636061050002DL00410337ZW03780013DCAD

DCB1

DCDNONE

DBA02212021

DCSSAMPLECARD

DACTHOMAS

DADALEXANDER

DBD12032013

DBB02211984

DBC1

DAYBRO

DAU76 in

DAG1234 COMMODORE JOSHUA BARNEY DRIVE,

DAIWASHINGTON

DAJDC

DAK00000-0000

DAQ1234567

DCF20130917090716MARKS999999

DCGUSA

DDEU

DDFU

DDGU

DAH(999) 999-9999

DAZBRO

DCJ

DDA

DDB09172013

DAW200

DDH02212002

DDI02212003

DDJ02212005

ZWZHCDCDL_DL



Figure 4: Example values of a driver’s license 2d barcode

Although the use of this barcode is less common than credit card swipes, it is not unheard of. Some people might experience getting their driver’s license barcode scanned in places like pharmacies, retail shops, bars, casinos and others establishments that require it.

What do these changes imply?

Combining personal information combined with credit card information gives threat actors a more “authentic” identity, and also provides all the information necessary to complete a transaction despite the lack of a physical card. Aside from this, the driver’s license bar code swipe of the victims can also be used for other kinds of misrepresentation, such as identity theft. In any case, stolen Personal Identity Information (PII) will always be a serious issue that can lead to dire consequences for its victims.

Trend Micro Solutions

As a consumer, there are some ways to protect yourself from credit card fraud, as outlined by the FTC or possibly by your credit card issuer. In this case, where RawPOS usually targets hospitality establishments, check your credit card charges after you take a vacation. Also, most credit card issuers allow you to setup alerts that you can use to monitor your account for unusual transactions, and report these unusual transactions immediately. When asked for identification like your driver’s license, pay close attention if it is swiped or read electronically as well.

For businesses, Endpoint application control or whitelisting can be employed to reduce attack exposure by ensuring only updates associated with whitelisted applications can be installed. Implementing application control in PoS devices also significantly mitigates similar attacks by ensuring that only whitelisted applications are allowed to execute. Also, Trend Micro’s advanced endpoint solutions, such as Trend Micro™ Smart Protection Suites and Trend Micro™ Worry-Free™ Business Security provide both detection and blocking of all the relevant malicious files, which are detected as TSPY_RAWPOS.SM and TSPY_RAWPOS.SM1. Finally, Trend Micro’s Deep Discovery Inspector can be used to determine attempts to perform lateral movement, which is common for operators of RawPOS as they tend to try and discover more point-of-sale terminals.