Light Dark
August 11, 2016 By Larry Loeb 2 min read

Security firm PandaLabs has been watching point-of-sale (POS) malware for some time. It talked earlier this year about PunkeyPOS, a malware that affected POS terminals at hundreds of restaurants. But it didn’t give up the fight after that; it kept watching for Punkey.

A New POS Malware

PandaLabs discovered more details about the criminal group behind the malware and how it operates. The firm recently announced on its official website that the group actually uses valid LogMeIn user credentials meant for accounts used on computers running POS software and connected to POS terminals.

LogMeIn can be thought of as a tool similar to TeamViewer. It allows users to log in and manage remote devices. In a POS systems, LogMeIn can be used by the same business that provides the systems to restaurants to perform updates, maintenance and the like.

Softpedia noted that the attackers did not use a zero-day vulnerability in LogMeIn; they simply took advantage of weak login credentials or deduced the credentials through other means. Panda advised customers to consult the user manual for best practices regarding protecting accounts.

About POSCardStealer

While observing a PunkeyPOS attack on terminals, the researchers noticed another POS malware conducting its own evil machinations during that attack. They called the new malware POSCardStealer. They found that this threat would only try to load if LogMeIn was present on the POS system.

According to the researchers, the attackers first connected to the POS using LogMeIn. Then, they downloaded an executable using the program, which then executes a script. Fourteen hours later, an isolated attack installed a new version of the Multigrain malware in one POS terminal, Softpedia reported.

Just 30 minutes after that, the attack automatically replicated itself and infected hundreds of victim machines in only 10 minutes.

Bars and Restaurants, Beware

The variant of POSCardStealer the security firm found was compiled in Visual C++. Panda said the malware samples were created specifically to attack those POS victims.

POSCardStealer was used on at least 30 POS systems. The malware’s infection routine included specific support for Dinerware, which is a POS system deployed at bars and restaurants, and POSitouch, which is also catered to the food and service industry.

This kind of POS malware can only have bad consequences, especially when it flies under the radar of security professionals trying to keep their customers’ payment information secure.

 |  | 
Larry Loeb
Principal, PBC Enterprises

More from

March 4, 2025

FYSA — VMware Critical Vulnerabilities Patched

< 1 min read - SummaryBroadcom has released a security bulletin, VMSA-2025-0004, addressing and remediating three vulnerabilities that, if exploited, could lead to system compromise. Products affected include vCenter Server, vRealize Operations Manager, and vCloud Director.Threat TopographyThreat Type: Critical VulnerabilitiesIndustry: VirtualizationGeolocation: GlobalOverviewX-Force Incident Command is monitoring activity surrounding Broadcom’s Security Bulletin (VMSA-2025-0004) for three potentially critical vulnerabilities in VMware products. These vulnerabilities, identified as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, have reportedly been exploited in attacks. X-Force has not been able to validate those claims. The vulnerabilities…

February 21, 2025

SoaPy: Stealthy enumeration of Active Directory environments through ADWS

10 min read - Introduction Over time, both targeted and large-scale enumeration of Active Directory (AD) environments have become increasingly detected due to modern defensive solutions. During our internship at X-Force Red this past summer, we noticed FalconForce’s SOAPHound was becoming popular for enumerating Active Directory environments. This tool brought a new perspective to Active Directory enumeration by performing collection via Active Directory Web Services (ADWS) instead of directly through Lightweight Directory Access Protocol (LDAP) as other AD enumeration tools had in the past.…

February 14, 2025

Smoltalk: RCE in open source agents

26 min read - Big shoutout to Hugging Face and the smolagents team for their cooperation and quick turnaround for a fix! Introduction Recently, I have been working on a side project to automate some pentest reconnaissance with AI agents. Just after I started this project, Hugging Face announced the release of smolagents, a lightweight framework for building AI agents that implements the methodology described in the ReAct paper, emphasizing reasoning through iterative decision-making. Interestingly, smolagents enables agents to reason and act by generating…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature