Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

“Cherry Picker” PoS Malware Cleans Up After Itself

A point-of-sale (PoS) malware that went largely undetected for the past several years has been analyzed by researchers at Trustwave.

Dubbed by the security firm “Cherry Picker,” the threat has been around since at least 2011, but it managed to stay under the radar thanks to its sophisticated functionality and use in highly targeted attacks.

A point-of-sale (PoS) malware that went largely undetected for the past several years has been analyzed by researchers at Trustwave.

Dubbed by the security firm “Cherry Picker,” the threat has been around since at least 2011, but it managed to stay under the radar thanks to its sophisticated functionality and use in highly targeted attacks.

In 2011, Trustwave started analyzing several pieces of malware designed to inject processes with cardholder data. One of these toolsets consisted of two components: sr.exe, which is a command line interface, and searcher.dll, which got injected into targeted processes by sr.exe.

This toolset was often found on infected systems alongside other threats, such as a PoS malware created using the AutoIt scripting language, and Rdasrv, one of the earliest PoS RAM scrapers.

Another threat seen on systems infected with searcher.dll is Cherry Picker, which has managed to stay under the radar. Trustwave reported spotting three versions of the malware, each with slight functionality improvements compared to the previous version.

According to researchers, Cherry Picker relies on a new memory scraping algorithm, it uses a file infector for persistence, and it comes with a cleaner component that removes all traces of the infection from the system.

While in some cases the PoS malware created a registry entry for persistence, in more recent instances experts discovered an updated version of sr.exe, srf.exe, which has been used to install the malware and inject a DLL into processes.

In basketball, a cherry picker is a player who doesn’t play defense with the rest of the team and instead sits near the opponent’s basket waiting for a pass after a change of possession, enabling them to score easily. Just like a cherry picker in basketball, the Cherry Picker malware doesn’t target all processes and instead focuses on one process that is known to contain card data.

Advertisement. Scroll to continue reading.

The threat’s configuration file specifies which process should be injected, and if that process is not found, the malware exits. This indicates that the attacker has already conducted reconnaissance on the system to determine which process should be targeted.

The latest version of the PoS malware relies on an API called QueryWorkingSet to scrape the memory. The harvested data is then written into a file and sent to the attacker’s server.

Once the data is exfiltrated, the cleaning process begins. The malware developers created a targeted cleaner tool designed to restore the infected system to a clean state. The threat relies on the popular remote control software TeamViewer to overwrite and remove files, logs and registry entries.

“Cherry Picker’s use of configuration files, encryption, obfuscation, and command line arguments have allowed the malware to remain under the radar of many security companies and AV’s,” Trustwave researchers said. “The introduction of new way to parse memory and find CHD, a sophisticated file infector, and a targeted cleaner program have allowed this malware family to go largely unnoticed in the security community.”

Trustwave says it’s currently investigating a Cherry Picker attack targeting a company in the food and beverage industry, but the security firm warns that any business using PoS applications is at risk.

Additional technical details on Cherry Picker are available in a blog post from Trustwave.

Related Reading: Andromeda Botnet Used to Deliver New GamaPoS Malware

Related Reading: MalumPOS Malware Targets Oracle Micros PoS Systems

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.