RedPOS: What It Is and How It Targets Point-of-Sale Systems

Understanding RedPOS — Detection, Mitigation, and Best PracticesRedPOS is a family of point-of-sale (POS) malware that emerged in criminal markets targeting retail environments, hospitality, and other businesses that process card-present transactions. It is designed to scrape payment card data from the memory of POS applications and exfiltrate that data to attackers for later sale or fraud. This article explains how RedPOS works, shows signs of compromise, outlines detection techniques, recommends mitigation and containment steps, and provides best practices to reduce risk.

Background and capabilities

RedPOS first appeared in public reporting around 2016–2017. Like other POS-targeting malware (e.g., RAM-scrapers such as BlackPOS, Backoff, and DumpMemory), RedPOS focuses on harvesting unencrypted card data while it is in the card-processing application’s memory (RAM) before encryption or tokenization occurs.

Common capabilities:

• Memory scraping: scanning process memory for Primary Account Numbers (PANs), expiration dates, track data, and other cardholder information using regular expressions or pattern matching.
• Process enumeration and injection: identifying POS processes or injecting code to access their memory space.
• File and data staging: storing harvested records locally in encrypted or obfuscated files before exfiltration.
• Network exfiltration: sending collected data over HTTP/HTTPS, FTP, or other channels to attacker-controlled servers.
• Persistence mechanisms: adding registry keys, scheduled tasks, or using legitimate services to maintain persistence across reboots.
• Targeted filtering: avoiding non-POS systems by looking for environment indicators like POS software, vendor-named processes, or Windows version specifics.

Infection vectors and how attackers get in

Attackers use several methods to gain initial access to POS systems:

• Phishing and credential theft to compromise backend administration or remote-management accounts.
• Exploitation of unpatched Windows or third-party software on the POS network.
• Weak or shared credentials for Remote Desktop Protocol (RDP), VNC, or remote management tools.
• Compromise of third-party vendors or service providers with access to the POS network.
• Lateral movement from an initially compromised workstation on the same network segment.

A notable pattern in POS compromises is targeting the corporate network or retailer’s central systems first, then moving laterally into the POS network through poorly segmented networks or re-used credentials.

Indicators of compromise (IOCs) and detection tips

Behavioral and forensic indicators:

• Unexpected processes or binaries with names similar to legitimate services but located outside expected directories.
• New or unusual scheduled tasks, services, or registry Run keys.
• Outbound network connections to unfamiliar domains, especially POST requests carrying base64 or binary payloads.
• Presence of files that contain many PAN-like strings (16-digit numbers) or files named/bundled with terms like “log”, “data”, or obfuscated names.
• Elevated process memory reads or suspicious process handles from processes that shouldn’t need them.

Detection techniques:

• Endpoint detection and response (EDR) with behavioral monitoring for memory scraping patterns (process reading another process’s memory, frequent enumerations of payment-process names).
• Network monitoring for unusual outbound traffic patterns and bulk uploads timed outside business hours.
• File integrity monitoring to detect creation of unknown files in POS directories.
• Regular log review for login anomalies, unexpected privilege escalations, and remote-access sessions.
• Use of PCI DSS-focused scanning tools and intrusion detection systems tuned for POS malware signatures and behaviors.

Incident response: containment and eradication

Immediate steps when RedPOS infection suspected:

1. Isolate impacted systems: Disconnect compromised POS terminals and any connected systems from the network to stop exfiltration and lateral movement.
2. Preserve forensic evidence: Capture memory images, disk images, and network logs before rebooting or wiping systems if possible. This helps root-cause analysis and legal compliance.
3. Identify scope: Determine which systems, credentials, and networks are affected. Look for lateral movement indicators and common persistence artifacts (registry keys, services).
4. Remove malware: Reimage POS terminals and any compromised servers. Simply deleting files is insufficient if persistence and credential theft occurred.
5. Rotate credentials: Reset passwords for all accounts, especially administrative and remote-access accounts. Treat credentials that were used on compromised systems as breached.
6. Notify stakeholders: Follow legal and regulatory requirements (e.g., PCI DSS notification obligations, data breach laws) and inform affected third parties, banks, and customers as required.
7. Implement monitoring: Increase logging, enable EDR, and monitor for re-infection attempts.

Mitigation and preventive controls

Network and architecture:

• Segment networks: Strictly separate POS networks from corporate networks and the internet. Apply firewall rules that limit outbound traffic from POS machines to only necessary endpoints (e.g., payment processors).
• Deny direct internet access from POS devices; route necessary payment traffic through hardened, monitored gateways.
• Zero trust principles: Enforce least privilege, strong authentication, and device verification for any management connections.

Endpoint and application controls:

• Application allowlisting: Permit only approved applications to run on POS systems. This blocks unknown executables even if an attacker gains local access.
• Disable unnecessary services and admin accounts on POS systems. Remove local admin rights from non-admin users.
• Patch management: Keep OS and POS application software, remote access tools, and third-party components up to date.
• Multi-factor authentication (MFA) for administrative and remote access accounts.
• Use end-to-end encryption or point-to-point encryption (P2PE) so PANs are encrypted at the card reader and never exposed in cleartext on the POS system’s memory.
• Regular backups and immutable logging to support recovery and investigations.

Operational controls:

• Vendor access controls: Contractual and technical restrictions for third-party vendors; use bastion hosts or jump boxes with strict logging for vendor sessions.
• Employee training on phishing and credential hygiene.
• Periodic threat hunting and red-team exercises to validate detection and response capabilities.

Best practices checklist

• Maintain network segmentation and firewall rules that isolate POS systems.
• Enforce MFA and strong password policies for all privileged accounts.
• Use application allowlisting and disable unnecessary services on POS terminals.
• Deploy EDR with memory-protection and behavioral detection tuned for POS malware.
• Implement P2PE or tokenization to minimize exposure of card data in POS memory.
• Patch systems promptly and maintain an asset inventory for POS devices.
• Log and monitor remote-access sessions; restrict vendor access via jump hosts.
• Reimage compromised systems and rotate all credentials after an incident.
• Conduct regular PCI DSS compliance assessments and incident response drills.

Example incident timeline (typical)

1. Initial compromise: Phishing leads to malware on a corporate workstation.
2. Credential theft: Attacker obtains remote access credentials (RDP/VNC).
3. Lateral movement: Attacker accesses POS network due to weak segmentation.
4. Deployment: RedPOS or similar RAM-scraper deployed to POS terminals.
5. Exfiltration: Card data harvested and sent to attacker-controlled servers.
6. Monetization: Stolen data sold on carding forums or used for fraud.

Closing notes

Protecting POS environments requires a mix of technical controls, sound architecture, vigilant monitoring, and operational discipline. RedPOS is one member of a broader class of memory-scraping threats targeting card data; defenses that reduce exposed card data (P2PE/tokenization), limit attacker options (segmentation, allowlisting, MFA), and improve detection (EDR, network monitoring) substantially reduce the risk and impact of such attacks.