SecureState has been fielding many requests for information in light of recent point-of-sale breach revelations. Earlier this year, SecureState developed a custom scanning tool that retailers can use to detect BlackPOS Malware. However, recent breaches like that of Home Depot are showing that retailers need to be vigilant about scanning for other forms of malware as well. While there is little public information around Home Depot, the most recent of the breaches, the US CERT recently released Alert TA14-212A which deals primarily with the "Backoff" family of malware. Seven point-of-sale vendors have confirmed that multiple clients have been affected by this malware, so it's a good idea for retailers and others that use point-of-sale systems to be alert and cognizant of their risks.

To make this task easier, SecureState’s Research and Innovation team has updated its POS Malware Detection Tool to incorporate US CERT’s guidance regarding Backoff. This tool uses a confidence-based scoring system that looks for the various methods the malware may be deployed according to the alert.  Incorporating checks for BlackPOS and now Backoff, this tool is a good quick check on systems that are suspected of compromise.

That being said, we also must remember that threats to point-of-sale can take many forms, and no single tool can take the place of robust security practices around sensitive data. Consider our guidance around egress filtering ( and engaging in a security assessment of these areas to ensure readiness on both today’s headlines and tomorrow’s.

 This tool will:

  • Allow users to run a scan manually or remotely.
  • Scans for file and registry artifacts to identify potential signs of KAPTOXA infection on a POS system.
  • Generate a confidence outpot giving the user an indication of a likely compromise.
The modular build of the tool allows it to accept new signatures and strands in the scanning portion of the code.  SecureState is welcoming more information from the information security community to develop and continue to improve the indicators of compromise for this and future variants of KAPTOXA, and similar malware.  Therefore, if you have the actual strands or other relevant information artifacts related to the malware and related compromises, please submit to info@securestate in the OpenIOC format if possible to have consideration for inclusion into the tool. 

The tool has been tested on all MS Windows versions up to Windows 7.

Please click here for a list of frequently asked questions regarding how to run the tool.

file: pos_malware_check.exe
md5: pos_malware_check.exe 07c5d90ba3295ff3f3571c58c0d358f5
sha1: pos_malware_check.exe