{
	"id": "ffe4de66-ed89-4c31-ade8-d2ba4abb9651",
	"created_at": "2026-04-06T00:16:25.790615Z",
	"updated_at": "2026-04-10T13:11:30.714957Z",
	"deleted_at": null,
	"sha1_hash": "c40d92061177f48fd1db9293669127bb3e8da06e",
	"title": "FindPOS: New POS Malware Family Discovered",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2316911,
	"plain_text": "FindPOS: New POS Malware Family Discovered\r\nBy Josh Grunzweig\r\nPublished: 2015-03-19 · Archived: 2026-04-05 16:21:31 UTC\r\nUnit 42 has discovered a new Point of Sale (POS) malware family, which includes multiple variants created as\r\nearly as November 2014. Over the past few weeks we have been analyzing this malware family, which we have\r\ndubbed ‘FindPOS’ due to strings consistently found in each variant.\r\nWhile this malware doesn’t show strong sophistication, the large number of variants shows prevalence similar to\r\nfamilies such as Alina and Backoff. It is clear that FindPOS should be considered a strong threat to Microsoft\r\nWindows POS vendors, and measures should be taken to ensure protection.\r\nWorkflow\r\nThe malware in question has the ability to scrape memory for track data, exfiltrate any discovered data via HTTP\r\nPOST requests, and in some instances log keystrokes. While the malware family uses many common techniques\r\nwitnessed in previous malware families targeting POS devices, the prevalence and continued development of this\r\nmalware demonstrates a threat to those running Windows-based point of sale terminals.\r\nThe general workflow of the FindPOS malware family can be seen below.\r\nEvolution\r\nOver the course of our research, a total of nine variants of FindPOS have been discovered. Using compile\r\ntimestamp information, we can see a timeline of these variants below.\r\nhttps://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/\r\nPage 1 of 16\n\nA breakdown of the specific functionality changes between versions is as follows:\r\nVersion 2.1\r\nModified hashing algorithm to use the following information:\r\nVolume Serial Number\r\nNetworking Adapters (IPv4 Only)\r\nAdded ‘uinfo’ POST parameter\r\nVersion 5.57\r\nAdded ability to terminate previously installed FindPOS upon installation\r\nCode cleanup during install\r\nSet main thread to lowest priority\r\nAdded memory scraping checks\r\nExpiration year between 2014 and 2030\r\nExpiration month between 1 and 12\r\nService code set to either ‘101’ or ‘201’\r\nAdded ability to download/execute files\r\nRemoved ‘Cookie: income=1’ HTTP Header\r\nAdded User-Agent HTTP Header\r\nVersion 5.80\r\nModified memory scraping checks\r\nhttps://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/\r\nPage 2 of 16\n\nExpiration year cannot exceed 2030 (no lower bound check)\r\nExpiration month cannot exceed 12 (no lower bound check)\r\nCode enhancements to domain/URI configuration\r\nVersion 5.90\r\nAdded keylogging functionality\r\nVersion 6.0\r\nNo significant changes identified\r\nVersion 6.02\r\nMinor modifications to exfiltration function\r\nVersion 6.03\r\nNo significant changes identified\r\nVersion 6.04\r\nMinor modifications to exfiltration sleep timer\r\nAs we can see from the above timeline, FindPOS appears to have been very actively developed early on, while\r\nover time the author made minimal changes. These minimal changes were likely made for performance reasons or\r\npotentially bug fixes.\r\nInstallation\r\nUpon execution, FindPOS will generate a lowercase alphabetic executable name of eight characters (example:\r\nabodeign.exe). This name is generated using the following system information:\r\nC:\\ Volume Serial Number\r\nSystemBiosdate\r\nVideoBiosdate\r\nCPU Identifier\r\nMicrosoft Windows ProductId\r\nUsing these values in order to generate results in a consistently generated name when run on the same machine.\r\nPlease note that the hashing algorithm used was modified in version 2.1. Please refer to the ‘Evolution’ section\r\nabove for details.\r\nThis executable name is then compared against the original executable name of the running malware. Should\r\nthose names not match, the malware will proceed to continue with its installation routine.\r\nFindPOS proceeds to copy itself to the following directories using the executable name that was previously\r\ngenerated:\r\nhttps://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/\r\nPage 3 of 16\n\n%SystemRoot%\\System32\\[name].exe\r\n%USERPROFILE%\\[name].exe\r\nShould these file copy operations prove successful, the malware will write the following registry keys:\r\nHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run [name] : %SystemRoot%\\System32\\[name].exe\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run [name] : %USERPROFILE%\\[name].exe\r\nThe malware will proceed to spawn a new instance of %SystemRoot%\\System32\\[name].exe via a call to\r\nCreateProcessA. Should this prove successful, the malware will execute the following command prior to exiting.\r\nThis command is responsible for deleting the original executable.\r\ncmd.exe /c del [original_executable_path] \u003e\u003e NUL\r\nShould the CreateProcessA call on %SystemRoot%\\System32\\[name].exe fail, FindPOS will attempt to spawn a\r\nnew instance of %USERPROFILE%\\[name].exe. If this proves successful, FindPOS will attempt to delete the\r\noriginal executable using the same technique previously seen.\r\nAfter installation of FindPOS is successful, the malware will create a global mutex in order to ensure only one\r\ninstance of FindPOS is running. This mutex has the following name:\r\nWIN_[hex]\r\nWhere [hex] is a series of 16 uppercase hexadecimal characters that are generated using the same technique\r\nwitnessed when generating the malware’s executable name during the installation routine.\r\nAfter this mutex is successfully created, FindPOS will continue to scrape memory and optionally log keystrokes.\r\nMemory Scraping\r\nMemory scraping is a technique found in the majority of POS malware families discovered in prior years. The\r\nconcept is fairly simple: read the memory of running processes on a POS terminal, and look for track data. When a\r\ncard is swiped on a POS terminal, and the transaction is processed, the card data will often reside in memory\r\nunencrypted for a brief period of time. Attackers exploit this weakness in order to find track data.\r\nA common technique for increasing performance of memory scrapers is to denylist a list of commonly seen\r\nprocess names, such as explorer.exe, lsass.exe, csrss.exe, etc. Alternatively, some malware families leverage an\r\nallowlist approach, where only specific process names are targeted. FindPOS, however, uses a brand new\r\napproach. This particular family determines the owner of every process on the system, via calls to EnumProcesses,\r\nOpenProcess, GetTokenInformation and LookupAccountSid. The owner of the process is then compared against\r\nthe ‘NT AUTHORITY’ string. This filters out any processes not being run as system or as a service. In the\r\nexample below, all processes except for ‘dwm.exe’ and the multiple instances of ‘conhost.exe’ would be filtered.\r\nhttps://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/\r\nPage 4 of 16\n\nFigure 1. Example Running Processes\r\nIn the event a process is not filtered, memory is scraped via calls to VirtualQueryEx and ReadProcessMemory.\r\nThis is a very common approach that is witnessed in almost all memory scrapers.\r\nhttps://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/\r\nPage 5 of 16\n\nOnce the data is read, FindPOS proceeds to look for track data. Starting with version 5.57, the author began\r\nmaking checks based on various data found within the track data. For example, in version 5.57 the author began\r\nignoring any track data that did not have an expiration date between January 2014 to December 2030. This helped\r\nto ensure expired card data was not captured.\r\nAdditionally, the author paid close attention to the service codes that appeared within any discovered track data.\r\nThe service code is a three-digit number that represents the type of card being swiped. In this particular instance,\r\nthe author chose to only capture cards that held the following options:\r\nFirst Digit – ‘International interexchange OK’ or ‘International interchange, use IC (chip) where feasible’\r\nSecond Digit – ‘Normal’\r\nThird Digit – ‘No restrictions’\r\nBy adding these restrictions, the author was able to ignore cards that it did not consider to be appealing. Such\r\ncards included gift cards, debit cards, and test cards to name a few.\r\nAny discovered track data is stored in memory until exfiltration occurs. This data is exfiltrated via the ‘data’ POST\r\nparameter.\r\nKeylogging\r\nStarting in version 5.90, the author of FindPOS began adding keylogging to this family. Many magnetic card\r\nreaders often will emulate a keyboard device. Knowing this, many POS malware authors incorporate this\r\nfunctionality into their families. In addition to collecting track data, keylogging also has the ability to potentially\r\ncollect usernames, passwords, or other sensitive data on the victim machine.\r\nIn order to accomplish this, the author spawns a new thread that is responsible for keylogging. A common\r\ntechnique of creating a new empty window, registering itself as a raw input device, and making calls to the\r\nGetRawInputData API is used.\r\nhttps://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/\r\nPage 6 of 16\n\nAny keystrokes are stored in memory until exfiltration occurs. The keystrokes are exfiltrated via the ‘logs’ POST\r\nparameter.\r\nExfiltration\r\nExfiltration for FindPOS takes place via HTTP POST requests. A number of hardcoded domains are configured\r\nfor each sample, often varying between FindPOS variants. HTTP POST requests are made every 120 seconds (2\r\nminutes). In the event any data has been discovered, such as track data or keystroke data, this data is included. An\r\nexample request from version 5.80 is shown below:\r\nhttps://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/\r\nPage 7 of 16\n\nAs we can see, a number of POST variables are included in each request:\r\nAn example of decoding the ‘uinfo’ parameter can be seen below:\r\n\u003e\u003e\u003e import base64\r\n\u003e\u003e\u003e base64.b64decode(\"Sk9TSC1QQyBAIGpvc2gtUENcam9zaA==\")\r\n'JOSH-PC @ josh-PC\\\\josh'\r\nKeystroke data and track data is obfuscated using a combination of Base64 encoding and a single-byte XOR\r\nencryption. Decoding this data can be seen below:\r\n\u003e\u003e\u003e import base64\r\n\u003e\u003e\u003e raw = \"\"\r\n\u003e\u003e\u003e for s in base64.b64decode(\"HxkaGxgfGhodGhoaGhsTGxcbHxoSGxobGhMbGBkeHxwdEhMaGxU=\"):\r\n\u003e\u003e\u003e     raw += chr(ord(s) ^ 0x2a)\r\n\u003e\u003e\u003e print raw\r\n5301250070000191=15081010912345678901?\r\nIn addition to data exfiltration, FindPOS added the ability to download/execute further malware. Upon sending an\r\nexfiltration request, should the server respond with a 0x1 or 0x4 byte, followed by a URL, this file will be\r\ndownloaded and subsequently executed.\r\nThe file is downloaded to a temporary folder, with the file itself prefixed by ‘BN’. This downloaded file is\r\nexecuted via a call to CreateProcessA. In the event the file cannot be properly downloaded or executed, it is\r\ndeleted from disk.\r\nDomain/IP Address Information\r\nA total of 37 domains were discovered while researching the FindPOS malware family. Of these domains, 13\r\nunique IP addresses were discovered. The geographic location of these IP addresses can be seen below. Please\r\nrefer to the Appendix for a full list of all domains.\r\nhttps://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/\r\nPage 8 of 16\n\nThe majority of the domains discovered were configured with the following WHOIS information.\r\nRegistrant Name: Julio Quinlan\r\nRegistrant Organization: NA\r\nRegistrant Street: 4516 Glory Road\r\nRegistrant City: Nashville\r\nRegistrant State/Province: TN\r\nRegistrant Postal Code: 37204\r\nRegistrant Country: us\r\nRegistrant Phone: +01.9318135965\r\nRegistrant Phone Ext:\r\nRegistrant Fax: +01.9318135965\r\nRegistrant Fax Ext:\r\nRegistrant Email: barkmanueta@rambler.ru\r\nPlease note that the registrant email was slightly different depending on the domain queried. While the\r\ninformation above appears legitimate, it was discovered to be falsified.\r\nRelated Samples – Keylogging/LogMeIn Recon\r\nDuring the course of our research, a number of similar samples were discovered. One such sample can be seen\r\nbelow.\r\nVersion 8.3 – LogMeIn Recon / Keylogger\r\nhttps://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/\r\nPage 9 of 16\n\nThis particular sample is responsible for collecting LogMeIn account information, logging keystrokes and mouse-clicks, and periodically exfiltrating this data to a remote server. This sample shares a number of characteristics\r\nwith the FindPOS samples previously discovered. Some of these similarities include the installation process, URI\r\nscheme, format of the HTTP POST requests, and the PDB string.\r\nUpon execution, this malware will install itself in the same method as FindPOS. Additionally, a mutex is created\r\nusing the technique previously mentioned. The malware will attempt determine if LogMeIn Ignition is installed on\r\nthe victim machine by checking the following registry keys:\r\nHKCU\\Software\\LogMeIn Ignition\\[Variable Hash]\\Account : Email\r\nAny discovered emails are exfiltrated using the same HTTP POST requests witnessed in FindPOS. However,\r\ninstead of using the ‘data’ POST parameter, this particular sample uses the ‘logs’ parameter. This can be seen\r\nbelow:\r\nThe malware proceeds to log keystrokes and mouse clicks. This data is exfiltrated every two minutes.\r\nhttps://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/\r\nPage 10 of 16\n\nWhile this sample certainly could have been used to scrape track data from POS terminals that have card readers\r\nthat emulate keyboard devices, I suspect this sample was more likely used to gain access to more POS machines.\r\nIt is most likely that this sample was dropped on a machine that was administering multiple POS machines, and\r\nthe information obtained from this particular box was leveraged to gain access to said POS machines.\r\nIt’s also interesting to note that the compile timestamp for this particular sample lines up to just about two weeks\r\nafter the introduction of keylogging functionality (starting in version 5.90). It would appear that right around this\r\ntime the malware author added a new trick to his or her repertoire.\r\nConclusion\r\nOverall, FindPOS isn’t terribly sophisticated. It lacks a number of features that we’ve seen in previous malware\r\nfamilies, such as a more sophisticated command and control structure, stronger encryption, and performing luhn\r\nchecks on any discovered data. Additionally, the evolution of this family provides interesting clues to the notion\r\nthat this malware was written from scratch. While FindPOS may share minimal similarities with previously\r\nwitnessed malware families, we are strongly confident that this malware is a brand new family.\r\nWhile this malware doesn’t show strong sophistication, the large number of variants shows prevalence similar to\r\nfamilies such as Alina and Backoff. It is clear that FindPOS should be considered a strong threat to Microsoft\r\nWindows POS vendors, and measures should be taken to ensure protection.\r\nSuch measures include, but are not limited to, configuring two-factor authentication for any remote access\r\nservices (LogMeIn, VNC, RDP, etc.), ensuring anti-virus is installed and updated, and ensuring POS devices are\r\nnot used non-approved functions, such as browsing the web or checking email.\r\nPalo Alto Networks customers are protected by WildFire, which automatically classifies FindPOS samples as\r\nmalware. Additionally, the indicators we've discovered that are related to these attacks have been added to\r\nPANDB and Anti-Malware protection systems.\r\nAppendix\r\nhttps://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/\r\nPage 11 of 16\n\nSample Information\r\nVersion 2.0\r\nVersion 2.1\r\nVersion 5.57\r\nVersion 5.80\r\nVersion 5.90\r\nhttps://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/\r\nPage 12 of 16\n\nVersion 6.0\r\nhttps://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/\r\nPage 13 of 16\n\nVersion 6.02\r\nVersion 6.03\r\nVersion 6.04\r\nYARA Rule\r\nhttps://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/\r\nPage 14 of 16\n\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\nimport \"cuckoo\"\r\nrule findpos\r\n{\r\nmeta:\r\ndescription = \"FindPOS is a newly discovered POS family.\"\r\ncategory = \"Point of Sale\"\r\nauthor = \"Josh Grunzweig\"\r\nstrings:\r\n$s1 = \"oprat=2\u0026uid=%I64u\u0026uinfo=%s\u0026win=%d.%d\u0026vers=%s\" nocase wide ascii\r\n$pdb1 = \"H:\\\\Work\\\\Current\\\\FindStr\\\\Release\\\\FindStr.pdb\" nocase wide ascii\r\n$pdb2 = \"H:\\\\Work\\\\FindStrX\\\\Release\\\\FindStr.pdb\" nocase wide ascii\r\n     $pdb3 = \"H:\\\\Work\\\\Current\\\\KeyLogger\\\\Release\\\\KeyLogger.pdb\" nocase wide ascii\r\ncondition:\r\nany of ($s*) or\r\nany of ($pdb*) or\r\n        (\r\n          cuckoo.sync.mutex(/WIN_[a-fA-F0-9]{16}/) and\r\n          cuckoo.registry.key_access(/\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run/) and\r\n          (\r\n              cuckoo.filesystem.file_access(/C\\:\\\\WINDOWS\\\\System32\\\\\\w{8}\\.exe/) or\r\n              cuckoo.filesystem.file_access(/C\\:\\\\Documents\\ and\\ Settings\\\\[^\\\\]+\\\\\\w{8}\\.exe/)\r\n          )\r\n        )\r\n}\r\nhttps://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/\r\nPage 15 of 16\n\n27\r\n28\r\nSource: https://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/\r\nhttps://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/"
	],
	"report_names": [
		"findpos-new-pos-malware-family-discovered"
	],
	"threat_actors": [],
	"ts_created_at": 1775434585,
	"ts_updated_at": 1775826690,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c40d92061177f48fd1db9293669127bb3e8da06e.pdf",
		"text": "https://archive.orkl.eu/c40d92061177f48fd1db9293669127bb3e8da06e.txt",
		"img": "https://archive.orkl.eu/c40d92061177f48fd1db9293669127bb3e8da06e.jpg"
	}
}