Similarities to Alina and JackPOS identified

Dec 19, 2014 15:40 GMT  ·  By

A newly discovered point-of-sale (PoS) malware, called Spark, has been seen to be distributed through a compiled AutoIt script.

Malware targeting PoS systems has been responsible for the largest card breaches in the past year, like the one hitting Target (about 40 million card and debit card accounts were impacted) and the one affecting Home Depot (card data of 56 million people was exposed).

AutoIt is a scripting language designed to automate interactions with Windows graphical user interface.

Distribution is similar to that of JackPOS

Researchers at Trustwave found that cybercriminals used AutoIt-compiled script as a loader to deliver Spark PoS malware. This tactic has also been observed with JackPOS, another threat built to scrape information from the memory of PoS systems.

They say that using AutoIt, or other scripting language (Perl, Python), as a loader for the malicious file is not an uncommon tactic, nor is it a sophisticated approach. Scripts are used by cybercriminals either to execute a binary on the system or for different other functions they may need for their nefarious tasks.

But in the case of Spark, things are more complicated because “the script has a binary in a variable that is loaded into dynamic memory and fixes up all the addresses required for execution,” Trustwave said in a blog post on Thursday.

Spark resembles Alina PoS malware

The researchers say that Spark has plenty of things in common with Alina, a PoS RAM scraper that was first discovered in 2012. It has drawn attention because it relied on a command and control infrastructure to exfiltrate information and it encrypted the stolen data.

Also, it represented a model of efficiency by blacklisting processes known not to unpack card data in the memory of the system. The installation name was chosen randomly.

Both Alina and Spark use the %APPDATA% folder during the installation procedure, although the latter creates a subfolder in this location to store the malicious files, while the former copies itself there directly.

A similar set of blacklisted processes is used by the two RAM scrapers, one difference being that Spark has a richer version, which includes all the entries from Alina and adds some of its own.

Researchers also found similarities between JackPOS and Spark, the use of AutoIt loader being one of them. They believe that the rumors about the source code for both Alina and JackPOS having been sold are true, which would explain the resemblance between the three pieces.

Spark PoS (5 Images)

Spark PoS execution flow
Random character generation algorithm for the name of the file containing the stolen dataThe process for compiling an AutoIt script with malicious binary
+2more