FastPOS PoS malware implements a quick exfiltration method

Trend Micro experts discovered a new strain of Point-of-Sale (PoS) malware dubbed FastPOS that implements a quick and efficient exfiltration technique.

Security experts at Trend Micro have spotted a new strain of PoS malware dubbed FastPOS that is able to quickly exfiltrate harvested data.

The malware was used by threat actors to target both enterprises and SMBs in several countries across the world, including the United States, Brazil, France, Japan, Hong Kong, and Taiwan.

The FastPOS  malware is usually served via compromised websites, via VNC access using stolen credentials or brute-force attacks, or through a file sharing service.

“Take the case of this newly discovered PoS malware which is notable for its speed in how the information is stolen and sent back to attackers. We call this malware FastPOS, due to the said speed and efficiency of its credit card theft capabilities.” Trend Micro wrote in a detailed report on the FastPOS malware.

Like other PoS malware, FastPOS scrapes the memory of the infected device to steal payment card data and it also logs keystrokes, but different from other PoS malware it sends the harvested data immediately back to the C&C server that is hardcoded in the malware.

The C&C server also hosts a crime forum that specializes in selling payment card data.


The RAM scraping feature implemented by FastPOS relies on a custom algorithm that checks the card validity and the fact that the card can be used internationally and it does not require a PIN.

“The main RAM scraping process handled by the second thread and a custom algorithm is implemented in the following flow: 

  1. Check field separator (‘=’ or ‘D’)
  2. Check first digit of the primary account number (aka, primary account number or PAN) (3,4,5,6)
  3. Check expiry year (not later than 2040)
  4. Check expiry month (no value above 12)
  5. Service code should be 201 or 101 (magnetic stripe card/IC card, PIN not required)
  6. Must pass Luhn validation
  7. Data after service code should be digits from 0-9 up to 16 characters, and ends with ‘?’

In order to avoid detection, FastPOS maintains log keystrokes in memory, without writing them on the disk, a technique already implemented by other malware like NewPosThings.

The keylogging feature collects several data including passwords, personal details, financial data and also the title of the window where the data has been entered.

The threat exfiltrates data leveraging an HTTP GET request instead of a POST request, which is the privileged choice for data stealer malware.

“One possibility is that the use of a GET command is designed to cause fewer suspicions – after all, this is the same command used when any browser retrieves a website,” continues Trend Micro.

As explained by the experts at Trend Micro, FastPOS could be very effective in targeting small organizations thanks its quick and efficient exfiltration technique.

Enjoy the report.

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.