The researchers has analyzed a piece of malware being used to scrape credit card information at the Point-of-Sale (PoS). Using a previously leveraged malware family and living off the land techniques, the threat group has managed to compromise several PoS terminals. The malware uses PsExec and compromised credentials to implant a pair of files to three separate PoS systems. A PowerShell script is saved as a batch file and an image file. Several pairs, in differing combination, have been discovered. Although the pairs and specific tools and techniques employed differ, the basic functionality is the same. The image file’s contents are loaded into memory by the batch file. The script injects the image file data into its own process. Raw shell code is appended to the PNG file in order to gain access. The shell code is a variant of the TinyPOS family. A file is created in order to store the scraped credit card data. The file is then uploaded to a C2 server in an encoded format.