This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA Uncovers New POS Malware Operation Stealing Payment Card & Personal Information

SethGeftic
Beginner
Beginner
‎2014-01-30 12:35 PM

NOTE: This blog entry originally appeared on RSA's Speaking of Security blog: https://blogs.rsa.com/rsa-uncovers-new-pos-malware-operation-stealing-payment-card-personal-information/

 

 

By Yotam Gottesman, Senior Security Researcher, RSA FirstWatch team

In a recent investigation, RSA researchers uncovered the server infrastructure used in a global Point-of-Sale (PoS) malware operation responsible for the electronic theft of payment card and personal data from several dozen retailers, mostly based in the U.S. Infection activity has also been detected in 10 other countries including Russia, Canada and Australia. While the malware used in the operation is not new, RSA researchers discovered that, beginning October 25th, it had logged track 1 and 2 data of payment cards it had scraped from infected PoS systems.

RSA anti-fraud researchers have been in contact with victim companies at the center of this operation, sharing key forensics information gathered in this investigation.

As part of RSA’s investigation that uncovered this stolen payment card data, RSA observed “ChewBacca,” a relatively new, private Trojan used in this operation that features simple keylogging and memory-scraping functionality.

Untitled

Figure 1: ChewBacca server login page

ChewBacca Bot

ChewBacca features two distinct data-stealing mechanisms: a generic keylogger and a memory scanner designed to specifically target systems that process credit cards, such as Point-of-Sale (POS) systems. The memory scanner dumps a copy of a process’s memory and searches it using simple regular expressions for card magnetic stripe data. If a card number is found, it is extracted and logged by the server.

 

Untitled

Figure 2: Using RegEx to scan for credit card data in memory.

 

RSA observed that communication is handled through the TOR network, concealing the real IP address of the Command and Control (C&C) server(s), encrypting traffic, and avoiding network-level detection. The server address uses the pseudo-TLD “.onion” that is not resolvable outside of a TOR network and requires a TOR proxy app which is installed by the bot on the infected machine.

 

Installation Process

The Trojan is self-contained and runs as-is. It has no dynamic configuration and is non-modular according to RSA’s investigation.

Upon running, ChewBacca installs a copy of itself in the Windows Start > Startup folder, as a file named “spoolsv.exe“, for example:

Untitled

Figure 3: Dropped ChewBacca malware file.

The file name disguises the Trojan as a Windows Print Spooler service executable, and placing it in the Startup folder causes it to run automatically at Windows startup.

After installation, the keylogger creates a file called “system.log” inside the system %temp% folder, logging keyboard events and window focus changes.

Based on its current findings, RSA believes that deleting this file and rebooting will effectively remove ChewBacca from an infected system.

ChewBacca Server Side

The server side control panel allows the botmaster easy access to manage the botnet and review the compromised data. A “Reports” screen lists information about the compromised machines and the data captured from each of them. Data is presented in either parsed form or in raw text (as it was grabbed from the machine).

Before disappearing behind TOR, the controller of this botnet was observed logging into the server from an east European country.

Untitled

Figure 4: ChewBacca server-side reports screen.

 

The ChewBacca Trojan appears to be a simple piece of malware that, despite its lack of sophistication and defense mechanisms, succeeded in stealing payment card information from several dozen retailers around the world in a little more than two months.

Retailers have a few choices against these attackers. They can increase staffing levels and develop leading-edge capabilities to detect and stop attackers (comprehensive monitoring and incident response), or they can encrypt or tokenize data at the point of capture and ensure that it is not in plaintext view on their networks, thereby shifting the risk and burden of protection to the card issuers and their payment processors.

RSA researchers are continuing their analysis and monitoring of the operation.

 

Yotam Gottesman is a senior security researcher at RSA’s FirstWatch team. Yotam is an expert in software security and malware research, having specialized in protocol analysis and reverse engineering malicious code written for both the Windows and Linux OS. When not dissecting malware, Yotam can be found trading stocks and closely watching financial trends.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.