In its current incarnation, it has a limited feature set and is basically a RAM scrapper. Once deployed, it will watch a PC’s RAM looking for text patterns, which are saved to a local DAT file. Of interest, it doesn’t currently appear to have any sort of networking capability, so when the data is collected and stored, it has no means of actually porting it to a command and control server (yet).
There are two competing theories as to why this software is the way it is. One theory is that it’s simply a rough draft. A work in progress. Although relatively benign in its current incarnation, it would be quite easy for the authors to add enhancements to the code, and possibly to update the software remotely, turning this “nonthreatening” software into a true menace in the blink of an eye.
Another theory is that RtPOS is one part of a multi-part, much more subtle attack. The purpose of the software is simply to infect and collect data, leaving it to a separate process to exfiltrate the data at irregular intervals, which would be more difficult to detect, and unlikely to draw attention.
At present, there’s no clear indication which theory is correct, but both ideas are disturbing. As ever, vigilance is the key. Hardly a day goes by that researchers somewhere in the world don’t discover some new threat. This is but the latest.