By Yotam Gottesman, Senior Security Researcher, RSA FirstWatch team
In a recent investigation, RSA researchers uncovered the server infrastructure used in a global Point-of-Sale (PoS) malware operation responsible for the electronic theft of payment card and personal data from several dozen retailers, mostly based in the U.S. Infection activity has also been detected in 10 other countries including Russia, Canada and Australia. While the malware used in the operation is not new, RSA researchers discovered that, beginning October 25th, it had logged track 1 and 2 data of payment cards it had scraped from infected PoS systems.
RSA anti-fraud researchers have been in contact with victim companies at the center of this operation, sharing key forensics information gathered in this investigation.
As part of RSA’s investigation that uncovered this stolen payment card data, RSA observed “ChewBacca,” a relatively new, private Trojan used in this operation that features simple keylogging and memory-scraping functionality.
Figure 1: ChewBacca server login page
ChewBacca features two distinct data-stealing mechanisms: a generic keylogger and a memory scanner designed to specifically target systems that process credit cards, such as Point-of-Sale (POS) systems. The memory scanner dumps a copy of a process’s memory and searches it using simple regular expressions for card magnetic stripe data. If a card number is found, it is extracted and logged by the server.
Figure 2: Using RegEx to scan for credit card data in memory.
RSA observed that communication is handled through the TOR network, concealing the real IP address of the Command and Control (C&C) server(s), encrypting traffic, and avoiding network-level detection. The server address uses the pseudo-TLD “.onion” that is not resolvable outside of a TOR network and requires a TOR proxy app which is installed by the bot on the infected machine.
The Trojan is self-contained and runs as-is. It has no dynamic configuration and is non-modular according to RSA’s investigation.
Upon running, ChewBacca installs a copy of itself in the Windows Start > Startup folder, as a file named “spoolsv.exe“, for example:
Figure 3: Dropped ChewBacca malware file.
The file name disguises the Trojan as a Windows Print Spooler service executable, and placing it in the Startup folder causes it to run automatically at Windows startup.
After installation, the keylogger creates a file called “system.log” inside the system %temp% folder, logging keyboard events and window focus changes.
Based on its current findings, RSA believes that deleting this file and rebooting will effectively remove ChewBacca from an infected system.
ChewBacca Server Side
The server side control panel allows the botmaster easy access to manage the botnet and review the compromised data. A “Reports” screen lists information about the compromised machines and the data captured from each of them. Data is presented in either parsed form or in raw text (as it was grabbed from the machine).
Before disappearing behind TOR, the controller of this botnet was observed logging into the server from an east European country.
Figure 4: ChewBacca server-side reports screen.
The ChewBacca Trojan appears to be a simple piece of malware that, despite its lack of sophistication and defense mechanisms, succeeded in stealing payment card information from several dozen retailers around the world in a little more than two months.
Retailers have a few choices against these attackers. They can increase staffing levels and develop leading-edge capabilities to detect and stop attackers (comprehensive monitoring and incident response), or they can encrypt or tokenize data at the point of capture and ensure that it is not in plaintext view on their networks, thereby shifting the risk and burden of protection to the card issuers and their payment processors.
RSA researchers are continuing their analysis and monitoring of the operation.
Yotam Gottesman is a senior security researcher at RSA’s FirstWatch team. Yotam is an expert in software security and malware research, having specialized in protocol analysis and reverse engineering malicious code written for both the Windows and Linux OS. When not dissecting malware, Yotam can be found trading stocks and closely watching financial trends.