{
	"id": "21b27bb2-350d-4a7c-bcbd-c3c954b1a48b",
	"created_at": "2026-04-06T00:12:05.911132Z",
	"updated_at": "2026-04-10T13:11:53.256464Z",
	"deleted_at": null,
	"sha1_hash": "044d9d525d9be8f06e473a3d28dbfac048747a23",
	"title": "POS Malware Used at Fuel Pumps – One Night in Norfolk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 638718,
	"plain_text": "POS Malware Used at Fuel Pumps – One Night in Norfolk\r\nPublished: 2019-12-23 · Archived: 2026-04-05 14:04:09 UTC\r\nIn December 2019, VISA Security released a bulletin detailing multiple incidents in which threat actors targeted\r\npoint of sale systems used at fuel dispensing companies with malware designed to parse out credit card numbers\r\nfrom these systems. This blog post examines a file, 19d38325f715f623bd4b6e819a150cde, associated with the\r\nfirst of three listed incidents in that bulletin.\r\nThere are several notable characteristics regarding this malware, including a unique way for the threat actors to\r\nterminate the tool.\r\nMD5: 19d38325f715f623bd4b6e819a150cde\r\nSHA1: 81c4a8cf8c0da1c590377b37ed5cff8771560a3d\r\nSHA256: 7a207137e7b234e680116aa071f049c8472e4fb5990a38dab264d0a4cde126df\r\nThe file appears to be a variant of the Grateful/Framework POS family. While this variant (via a similar file,\r\n0EB7AC6D2D99D702ECC8B86FF90B0AAC) are described elsewhere, this blog is currently unable to replicate\r\nor identify the data exfiltration method detailed in external posts. This method appears statically in strings in\r\nsimilar – but larger – samples, suggesting that it may have actually been removed for certain variants. If that is the\r\ncase, it would also imply that the threat actors exifiltrated the data through other malware or tools, which would be\r\nconsistent with some vendor observations. Further discussion around this point and the discrepancies in reported\r\nfunctionality around these hashes can be found in a later section.\r\nThe file contains two exports:\r\n– workerInstance (main functionality)\r\n– debugPoint (enters a sleep loop)\r\nThe workerInstance export is used to launch the main functionality of the malware. In addition, the malware also\r\nexpects to receive a file path as an argument. When this export is called, the malware creates a mutex named\r\n“Global.Ms.ThreadPooling.MyAppSingleInstance” and then collects local data about the infected workstation.\r\nThis data is written to the filepath specified at runtime.\r\nhttps://norfolkinfosec.com/pos-malware-used-at-fuel-pumps/\r\nPage 1 of 9\n\nhttps://norfolkinfosec.com/pos-malware-used-at-fuel-pumps/\r\nPage 2 of 9\n\nThe malware runs four threads:\r\n– Thread 1: Enters memory scraping loop\r\n– Thread 2: Enters memory scraping loop\r\n– Thread 3: Checks length of process to be scraped. Process must be \u003e 4 characters.\r\n– Thread 4: Terminates the malware if a “stopper” file is found in the working directory\r\nOf these, Thread 4 is among the most novel and allows the threat actors to terminate the malware. The malware\r\ntakes the filename “memscrp.stp” and appends it to a string containing the working directory of the DLL. The\r\nmalware will then use the CreateFile API to try to access a file with the name at this location. It then performs a\r\ncomparison:\r\n1) If the CreateFile call generated an error (i.e. the file was not present at the time of the check), EAX is zeroed\r\nout and the routine sleeps for sixty seconds before trying again.\r\n2) If this call does not generate an error (i.e. the file exists), the malware uses the MoveFile API call to add a\r\n.stopped extension to this file and then terminates.\r\nhttps://norfolkinfosec.com/pos-malware-used-at-fuel-pumps/\r\nPage 3 of 9\n\nThis workflow is shown below.\r\nThe advantages to this are unclear; however, one possibility is that this approach allows the threat actors to\r\nterminate the malware without the need for command and control implementation.\r\nMemory Scraping Threads\r\nAs noted in another blog post, this malware forgoes more targeted scraping (in which specific BINs are selected)\r\nin favor of a broader collection. The threat actors’ scraping logic is not yet fully understood; however, several\r\ncharacteristics of credit card track data do appear, including the common “=” and “^” separators:\r\nhttps://norfolkinfosec.com/pos-malware-used-at-fuel-pumps/\r\nPage 4 of 9\n\nThe scraping threads use the ReadProcessMemory API call to run data from all of the processes on the infected\r\nsystem. Unlike previously documented samples, no apparent whitelisting was present in the malware during static\r\nanalysis, and during dynamic runs of the malware the scraper searched for data without discretion. The\r\ncomparison logic in the image above takes place within the “Possible_Parsing” function boxed in blue at the\r\nbottom right of the image below:\r\nhttps://norfolkinfosec.com/pos-malware-used-at-fuel-pumps/\r\nPage 5 of 9\n\nAt this stage, this blog has not identified where this data is stored or how it is transmitted. While some variants of\r\nthis file have C2 functionality via DNS requests (a previously known and documented feature), such features\r\nappear absent from the file analyzed here and reported by VISA. This blog also performed a dynamic comparison\r\nbetween a known DNS variant and the file analyzed here using test data. The DNS variant immediately began\r\ncommunicating with external servers (including a public IP checker and the C2 server) and eventually attempted\r\nto transmit scraped test data over the DNS protocol. The file analyzed in this blog post did not perform these tasks.\r\nA static comparison of both variants, with a focus on the DNS variant’s C2 server, shows that both files have\r\nnearly identical code leading to where this server is referenced in the DNS version and where one would expect it\r\nto be referenced in the non-DNS version:\r\nhttps://norfolkinfosec.com/pos-malware-used-at-fuel-pumps/\r\nPage 6 of 9\n\nhttps://norfolkinfosec.com/pos-malware-used-at-fuel-pumps/\r\nPage 7 of 9\n\nThis code workflow is nearly identical in both variants\r\nHowever, examining this location (boxed in orange above) shows that several functions are not present in the non-DNS version. Most importantly, none of the functions in this location contain code matching the routine with the\r\nC2 reference in the DNS version:\r\nThe DNS variant (top left) contains additional functionality not present in the non-DNS\r\nvariant\r\nIf these features have been removed, this blog postulates that either a file saving mechanism exists but has not yet\r\nbeen identified, or an additional file is used to run the DLL and collect data.\r\nAdditional Variants\r\nAs noted above, there are other variants of this scraper. A VirusTotal pivot on the workerInstance export identifies\r\neight total samples, with varying compile times. Of these samples, some feature DNS exfiltration capabilities and\r\nothers do not:\r\nNon-DNS\r\n32ccf851b0b81252aa2bfdf2e8b416cb Compilation Timestamp: 2018-12-10 20:06:42 (27KB)\r\nhttps://norfolkinfosec.com/pos-malware-used-at-fuel-pumps/\r\nPage 8 of 9\n\n0eb7ac6d2d99d702ecc8b86ff90b0aac Compilation Timestamp: 2019-04-11 13:26:51 (27kB)\r\n576039d7cb54b749af5ed3d3558ee296 Compilation Timestamp: 2018-11-07 11:56:06 (25KB)\r\n19d38325f715f623bd4b6e819a150cde Compilation Timestamp: 2018-12-10 20:07:02 (23KB) (blog version)\r\nDNS\r\n0576380f93f49279491177d96d84ad7e Compilation Timestamp: 2018-11-27 20:06:19 (89Kb)\r\n353b0df3a9efce2d32f6097cab8fffc3 Compilation Timestamp: 2018-11-27 20:06:44 (46KB)\r\n128f75f8c80d65d416c740a6d4c1591e Compilation Timestamp: 2018-11-27 20:06:19(44KB)\r\n4ed6cc403d5ea6abae458ba6f43ad4f3 Compilation Timestamp: 2018-11-27 20:06:44 (42KB)\r\nInterestingly, the DNS variants were all compiled within a minute of each other. While two files share the same\r\ntimestamp (and perhaps are the same file, dumped from memory or disk differently), there are still three unique\r\ntimestamps from this set. In addition, these files are noticeably larger than the apparent non-DNS version. With\r\none exception, these files also have compilation timestamps predating the non-DNS versions, although this data\r\nset might not be complete given the limitations in VirusTotal’s search range (although none of the DNS versions\r\nwith this data query had compilation timestamps beyond 2018).\r\nOne possible explanation is that the threat actor shifted away from DNS exfiltration in favor of a quiet collection\r\nor the use of an external tool. Another possibility is that the tool is shared across multiple threat actors with\r\ndifferent operational behaviors. The short window of compilation timestamps for the DNS samples could\r\nrepresent different builds for multiple simultaneous targets, threat actor testing, or a more benign explanation.\r\nThe DNS versions all use “ns.akamai1811.com” as their C2.\r\nPost navigation\r\nSource: https://norfolkinfosec.com/pos-malware-used-at-fuel-pumps/\r\nhttps://norfolkinfosec.com/pos-malware-used-at-fuel-pumps/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://norfolkinfosec.com/pos-malware-used-at-fuel-pumps/"
	],
	"report_names": [
		"pos-malware-used-at-fuel-pumps"
	],
	"threat_actors": [],
	"ts_created_at": 1775434325,
	"ts_updated_at": 1775826713,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/044d9d525d9be8f06e473a3d28dbfac048747a23.pdf",
		"text": "https://archive.orkl.eu/044d9d525d9be8f06e473a3d28dbfac048747a23.txt",
		"img": "https://archive.orkl.eu/044d9d525d9be8f06e473a3d28dbfac048747a23.jpg"
	}
}