VERY IMPORTANT

New point-of-sale malware samples occasionally appear from time to time. Following up on an interesting tip, we retrieved and analyzed a sample of previously unseen POS malware, introduced here as RtPOS. This POS malware is named as such after the debug path left in the sample. RtPOS is unique in comparison to other fully featured POS malware like Project Hook and TreasureHunter, in that it has no native exfiltration capability. While other POS malware families are perfectly capable of sending captured Track1 and Track2 data to a C2 server, RtPOS merely saves the data locally. As this activity is similar to some POS utilities, this is likely intended to reduce the network activity footprint of RtPOS and ensure the malware remains undetected for longer, thus earning the controllers a healthier profit. The RtPOS malware is also simplistic in features, largely automated in operation, and lacks many of the features that more mature POS malware families do.