{"id":43793,"date":"2015-06-10T16:18:56","date_gmt":"2015-06-10T23:18:56","guid":{"rendered":"https:\/\/blogs.mcafee.com\/?p=43793"},"modified":"2025-06-01T20:13:27","modified_gmt":"2025-06-02T03:13:27","slug":"evoltin-pos-malware-attacks-via-macro","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evoltin-pos-malware-attacks-via-macro\/","title":{"rendered":"&#8216;Evoltin&#8217; POS Malware Attacks via Macro"},"content":{"rendered":"<p>Over the past couple of months McAfee Labs has seen an increase in the usage of macros to deliver malware. This kind of malware, as mentioned in previous posts (<a href=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/banking-malware-dridex-arrives-via-phishing-email\">Dridex<\/a>, <a href=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/bartallex-renews-strain-of-macro-malware\">Bartallex<\/a>), usually arrives as an attached document within a phishing email. Recently McAfee labs came across a point-of-sale (POS) malware that spreads through malicious macros inside a doc file. This macro comes into users\u2019 systems through a spam email with subjects such as \u201cMy Resume,\u201d &#8220;Openings,&#8221; Internship,&#8221; etc. and an attached Microsoft Word file, some with names like these:<\/p>\n<ul>\n<li>my_resume_8960.doc<\/li>\n<li>my_resume_42123.doc<\/li>\n<li>my_resume_63863.doc<\/li>\n<li>my_resume_9052.doc<\/li>\n<li>cv_76475.doc<\/li>\n<\/ul>\n<p>When these doc files are opened, they download and run the POS malware on the victim\u2019s machine. When a user tries to open\u00a0the malicious doc file, Word asks whether the user wants to enable macros. If enabled, this threat will execute.<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/doc.png\"><img loading=\"lazy\" decoding=\"async\" class=\" size-full wp-image-43794 aligncenter\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/doc.png\" alt=\"doc\" width=\"1045\" height=\"729\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/doc.png 1045w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/doc-300x209.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/doc-1024x714.png 1024w\" sizes=\"auto, (max-width: 1045px) 100vw, 1045px\" \/><\/a><\/p>\n<p>Upon extracting the macros, we can see that the contents of the macro are obfuscated to hinder their detection.<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/25.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\" size-full wp-image-43795 aligncenter\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/25.jpg\" alt=\"2\" width=\"945\" height=\"386\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/25.jpg 945w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/25-300x123.jpg 300w\" sizes=\"auto, (max-width: 945px) 100vw, 945px\" \/><\/a><\/p>\n<p>Upon execution, the malware downloads the payload dro.exe (Md5: 6cdd93dcb1c54a4e2b036d2e13b51216) from its control server (80.242.123.155).<\/p>\n<p>This IP is already flagged by many AV vendors:<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/VT.png\"><img loading=\"lazy\" decoding=\"async\" class=\" size-full wp-image-43796 aligncenter\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/VT.png\" alt=\"VT\" width=\"519\" height=\"626\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/VT.png 519w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/VT-249x300.png 249w\" sizes=\"auto, (max-width: 519px) 100vw, 519px\" \/><\/a><\/p>\n<p>When run, the file copies itself into %temp% as defrag.scr using the NTFS Alternate Data Streams technique, which can put data into files and folders without affecting their functionality. These files and folders are not visible when viewed through conventional methods or commands such as Windows Explorer, the dir command, or any other file browser tools\u2014hiding the malicious components from detection. The file also drops a .vbs file as shown:<\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/ADS.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-43798\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/ADS.jpg\" alt=\"ADS\" width=\"505\" height=\"34\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/ADS.jpg 505w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/ADS-300x20.jpg 300w\" sizes=\"auto, (max-width: 505px) 100vw, 505px\" \/><\/a><\/p>\n<p>A code snippet:<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/57.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-43843\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/57.png\" alt=\"5\" width=\"1328\" height=\"247\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/57.png 1328w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/57-300x56.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/57-1024x190.png 1024w\" sizes=\"auto, (max-width: 1328px) 100vw, 1328px\" \/><\/a><\/p>\n<p>The .vbs file contains code to load and execute the malicious process again if it is terminated. The following screenshot shows this code:<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/vbs.png\"><img loading=\"lazy\" decoding=\"async\" class=\" size-full wp-image-43799 aligncenter\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/vbs.png\" alt=\"vbs\" width=\"1039\" height=\"229\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/vbs.png 1039w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/vbs-300x66.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/vbs-1024x226.png 1024w\" sizes=\"auto, (max-width: 1039px) 100vw, 1039px\" \/><\/a><\/p>\n<p>The simply obfuscated macro code, combined with the way the scripts are written, indicates that this malware has been written by a novice author.\u00a0This malware executes with the command-line argument &#8220;-&#8220;. If the malware doesn&#8217;t find this argument, it exits:<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/75.png\"><img loading=\"lazy\" decoding=\"async\" class=\" size-full wp-image-43845 aligncenter\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/75.png\" alt=\"7\" width=\"787\" height=\"358\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/75.png 787w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/75-300x136.png 300w\" sizes=\"auto, (max-width: 787px) 100vw, 787px\" \/><\/a><\/p>\n<p>The malware also connects to the following control servers:<\/p>\n<ul>\n<li>systeminfou48.ru<\/li>\n<li>infofinaciale8h.ru<\/li>\n<li>helpdesk7r.ru<\/li>\n<\/ul>\n<p>All these domains resolve to same IP address: 146.185.221.31.<\/p>\n<p>The malware sends the victim\u2019s PC\u00a0name, GUID, etc. through\u00a0HTTP Post\u00a0to the remote server. A code snippet:<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/87.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-43846\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/87.png\" alt=\"8\" width=\"1032\" height=\"395\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/87.png 1032w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/87-300x115.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/87-1024x392.png 1024w\" sizes=\"auto, (max-width: 1032px) 100vw, 1032px\" \/><\/a><\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/94.png\"><img loading=\"lazy\" decoding=\"async\" class=\" size-full wp-image-43847 aligncenter\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/94.png\" alt=\"9\" width=\"1310\" height=\"265\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/94.png 1310w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/94-300x61.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/94-1024x207.png 1024w\" sizes=\"auto, (max-width: 1310px) 100vw, 1310px\" \/><\/a><\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/104.png\"><img loading=\"lazy\" decoding=\"async\" class=\" size-full wp-image-43848 aligncenter\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/104.png\" alt=\"10\" width=\"1209\" height=\"298\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/104.png 1209w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/104-300x74.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/104-1024x252.png 1024w\" sizes=\"auto, (max-width: 1209px) 100vw, 1209px\" \/><\/a><\/p>\n<p>If the malware doesn&#8217;t find card-related information, it sleeps for five minutes and then starts the search process again:<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/115.png\"><img loading=\"lazy\" decoding=\"async\" class=\" size-full wp-image-43849 aligncenter\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/115.png\" alt=\"11\" width=\"1049\" height=\"254\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/115.png 1049w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/115-300x73.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/115-1024x248.png 1024w\" sizes=\"auto, (max-width: 1049px) 100vw, 1049px\" \/><\/a><\/p>\n<p>If successful, the malware encrypts the information before sending it to the control server:<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/124.png\"><img loading=\"lazy\" decoding=\"async\" class=\" size-full wp-image-43850 aligncenter\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/124.png\" alt=\"12\" width=\"837\" height=\"191\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/124.png 837w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/124-300x68.png 300w\" sizes=\"auto, (max-width: 837px) 100vw, 837px\" \/><\/a><\/p>\n<p>The malware contains hardcoded strings such as \u201cnit_love\u201d and \u201cHWAWAWAWA,\u201d which might be used as a campaign identifier. We gave this malware the name Evoltin, which is the hardcoded string nit_love in reverse.<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/connectURL.png\"><img loading=\"lazy\" decoding=\"async\" class=\" size-full wp-image-43801 aligncenter\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/connectURL.png\" alt=\"connectURL\" width=\"658\" height=\"275\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/connectURL.png 658w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/connectURL-300x125.png 300w\" sizes=\"auto, (max-width: 658px) 100vw, 658px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/142.png\"><img loading=\"lazy\" decoding=\"async\" class=\" size-full wp-image-43851 aligncenter\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/142.png\" alt=\"14\" width=\"705\" height=\"79\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/142.png 705w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/142-300x34.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/142-699x79.png 699w\" sizes=\"auto, (max-width: 705px) 100vw, 705px\" \/><\/a><\/p>\n<p>The malware uses mailslot for one-way\u00a0InterProcess Communication between processes both locally and over a\u00a0network.\u00a0It can also store the track information and stolen data in mailslot and send the data to its control server using a POST request.<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/151.png\"><img loading=\"lazy\" decoding=\"async\" class=\" size-full wp-image-43852 aligncenter\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/151.png\" alt=\"15\" width=\"1083\" height=\"273\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/151.png 1083w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/151-300x76.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/151-1024x258.png 1024w\" sizes=\"auto, (max-width: 1083px) 100vw, 1083px\" \/><\/a><\/p>\n<p>The malware creates a run registry entry to execute itself every time Windows starts:<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/runentry.png\"><img loading=\"lazy\" decoding=\"async\" class=\" size-full wp-image-43803 aligncenter\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/runentry.png\" alt=\"runentry\" width=\"837\" height=\"172\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/runentry.png 837w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/runentry-300x62.png 300w\" sizes=\"auto, (max-width: 837px) 100vw, 837px\" \/><\/a><\/p>\n<p>Because the malware installs itself in the %temp% directory, users can configure and test Access Protection Rules in <a href=\"https:\/\/www.mcafee.com\/us\/products\/virusscan-enterprise.aspx\" target=\"_blank\" rel=\"noopener noreferrer\">McAfee VirusScan Enterprise<\/a> to restrict the creation of new files and folders when there are no other legitimate uses:<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/172.png\"><img loading=\"lazy\" decoding=\"async\" class=\" size-full wp-image-43853 aligncenter\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/172.png\" alt=\"17\" width=\"496\" height=\"496\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/172.png 496w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/172-150x150.png 150w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/172-300x300.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/172-32x32.png 32w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/172-64x64.png 64w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/172-96x96.png 96w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/172-128x128.png 128w\" sizes=\"auto, (max-width: 496px) 100vw, 496px\" \/><\/a><\/p>\n<h2>McAfee&#8217;s Role<\/h2>\n<p>McAfee products detect the malicious macro and the payload as W97M\/Downloader.aht and Evoltin POS with DAT Version 7823 and later.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Over the past couple of months McAfee Labs has seen an increase in the usage of macros to deliver malware&#8230;.<\/p>\n","protected":false},"author":674,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[1814,338,180],"coauthors":[3973],"class_list":["post-43793","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-computer-security","tag-endpoint-protection","tag-malware"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>&#039;Evoltin&#039; POS Malware Attacks via Macro | McAfee Blog<\/title>\n<meta name=\"description\" content=\"Recently McAfee labs found a point-of-sale malware that spreads through malicious macros inside a doc file. This threat arrives via a spam email.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"&#039;Evoltin&#039; POS Malware Attacks via Macro | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"Recently McAfee labs found a point-of-sale malware that spreads through malicious macros inside a doc file. This threat arrives via a spam email.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evoltin-pos-malware-attacks-via-macro\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2015-06-10T23:18:56+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-02T03:13:27+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/doc.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1045\" \/>\n\t<meta property=\"og:image:height\" content=\"729\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"McAfee\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evoltin-pos-malware-attacks-via-macro\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evoltin-pos-malware-attacks-via-macro\/\"},\"author\":{\"name\":\"McAfee\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa\"},\"headline\":\"&#8216;Evoltin&#8217; POS Malware Attacks via Macro\",\"datePublished\":\"2015-06-10T23:18:56+00:00\",\"dateModified\":\"2025-06-02T03:13:27+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evoltin-pos-malware-attacks-via-macro\/\"},\"wordCount\":574,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evoltin-pos-malware-attacks-via-macro\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/doc.png\",\"keywords\":[\"computer security\",\"endpoint protection\",\"malware\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evoltin-pos-malware-attacks-via-macro\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evoltin-pos-malware-attacks-via-macro\/\",\"name\":\"'Evoltin' POS Malware Attacks via Macro | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evoltin-pos-malware-attacks-via-macro\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evoltin-pos-malware-attacks-via-macro\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/doc.png\",\"datePublished\":\"2015-06-10T23:18:56+00:00\",\"dateModified\":\"2025-06-02T03:13:27+00:00\",\"description\":\"Recently McAfee labs found a point-of-sale malware that spreads through malicious macros inside a doc file. This threat arrives via a spam email.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evoltin-pos-malware-attacks-via-macro\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evoltin-pos-malware-attacks-via-macro\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evoltin-pos-malware-attacks-via-macro\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/doc.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/doc.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evoltin-pos-malware-attacks-via-macro\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"&#8216;Evoltin&#8217; POS Malware Attacks via Macro\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa\",\"name\":\"McAfee\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/1ffadfeeda1f4f9e7891a81f27a9ecf4\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png\",\"caption\":\"McAfee\"},\"description\":\"We're here to make life online safe and enjoyable for everyone.\",\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/x.com\/McAfee\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"'Evoltin' POS Malware Attacks via Macro | McAfee Blog","description":"Recently McAfee labs found a point-of-sale malware that spreads through malicious macros inside a doc file. This threat arrives via a spam email.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"'Evoltin' POS Malware Attacks via Macro | McAfee Blog","og_description":"Recently McAfee labs found a point-of-sale malware that spreads through malicious macros inside a doc file. This threat arrives via a spam email.","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evoltin-pos-malware-attacks-via-macro\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2015-06-10T23:18:56+00:00","article_modified_time":"2025-06-02T03:13:27+00:00","og_image":[{"width":1045,"height":729,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/doc.png","type":"image\/png"}],"author":"McAfee","twitter_card":"summary_large_image","twitter_creator":"@McAfee","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evoltin-pos-malware-attacks-via-macro\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evoltin-pos-malware-attacks-via-macro\/"},"author":{"name":"McAfee","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa"},"headline":"&#8216;Evoltin&#8217; POS Malware Attacks via Macro","datePublished":"2015-06-10T23:18:56+00:00","dateModified":"2025-06-02T03:13:27+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evoltin-pos-malware-attacks-via-macro\/"},"wordCount":574,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evoltin-pos-malware-attacks-via-macro\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/doc.png","keywords":["computer security","endpoint protection","malware"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evoltin-pos-malware-attacks-via-macro\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evoltin-pos-malware-attacks-via-macro\/","name":"'Evoltin' POS Malware Attacks via Macro | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evoltin-pos-malware-attacks-via-macro\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evoltin-pos-malware-attacks-via-macro\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/doc.png","datePublished":"2015-06-10T23:18:56+00:00","dateModified":"2025-06-02T03:13:27+00:00","description":"Recently McAfee labs found a point-of-sale malware that spreads through malicious macros inside a doc file. This threat arrives via a spam email.","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evoltin-pos-malware-attacks-via-macro\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evoltin-pos-malware-attacks-via-macro\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evoltin-pos-malware-attacks-via-macro\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/doc.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/doc.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evoltin-pos-malware-attacks-via-macro\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"&#8216;Evoltin&#8217; POS Malware Attacks via Macro"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa","name":"McAfee","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/1ffadfeeda1f4f9e7891a81f27a9ecf4","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png","caption":"McAfee"},"description":"We're here to make life online safe and enjoyable for everyone.","sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/x.com\/McAfee"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/43793","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/674"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=43793"}],"version-history":[{"count":3,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/43793\/revisions"}],"predecessor-version":[{"id":214756,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/43793\/revisions\/214756"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=43793"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=43793"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=43793"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=43793"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}