Researchers from RSA say they have discovered the server infrastructure behind a point-of-sale (PoS) attack campaign that has infected systems mostly in the United Sates, but also in 10 other countries including Russia, Canada and Australia.
RSA’s security analysts found that in this particular operation, attackers leveraged the ChewBacca Trojan to steal Track 1 and Track 2 data from payment cards swiped through infected PoS systems dating back to Oct. 25, 2013.
The ChewBacca malware is not new, and it is not exclusively used to target POS systems. While not overly complex, the malware does have the ability to log keystrokes and scrape a system’s memory. According to RSA, the memory scanner feature dumps a copy of a process’s memory and searches it for payment card data. If a card number is found, it is extracted and logged by the server, RSA said.
Named ChewBacca – after the character in Star Wars and the name given to one of its functions – Kaspersky Lab pointed out in December that the ChewBacca malware utilizes Tor’s anonymity capabilities to shield an attacker’s command and control infrastructure.
RSA’s team also noticed this anonymity feature.
“RSA observed that communication is handled through the TOR network, concealing the real IP address of the Command and Control (CC) server(s), encrypting traffic, and avoiding network-level detection,” Yotam Gottesman, a Senior Security Researcher at RSA, noted in a blog post. “The server address uses the pseudo-TLD “.onion” that is not resolvable outside of a TOR network and requires a TOR proxy app which is installed by the bot on the infected machine.”
“The ChewBacca Trojan appears to be a simple piece of malware that, despite its lack of sophistication and defense mechanisms, succeeded in stealing payment card information from several dozen retailers around the world in a little more than two months,” Gottesman added.
This campaign does NOT appear to be connected in any way to the recent attack against Target Corporation.
Earlier this month, the FBI issued a warning to U.S. retailers, saying they should prepare for more cyber attacks after discovering roughly 20 cases over the past year that involved point of sale malware.
Additional technical details, including information on how to remove ChewBacca from an infected system, are available from RSA here.
Managing Editor, SecurityWeek.Previous Columns by Mike Lennon:RSA Uncovers Infrastructure Behind New Point-of-Sale Attack OperationTarget: Attackers Used Stolen Vendor Credentials in Data BreachCross Platform Java-bot Launches DDoS Attacks from Windows, Mac and Linux MachinesCloudLock Raises $16.5 Million to Expand Enterprise Cloud Security BusinessAuthor of SpyEye Trojan Pleads Guilty
Tags: NEWS INDUSTRY
Fraud Identity Theft
Tracking Law Enforcement