Researchers from RSA say they have discovered the server infrastructure behind a point-of-sale (PoS) attack campaign that has infected systems mostly in the United Sates, but also in 10 other countries including Russia, Canada and Australia.
RSA’s security analysts found that in this particular operation, attackers leveraged the ChewBacca Trojan to steal Track 1 and Track 2 data from payment cards swiped through infected PoS systems dating back to Oct. 25, 2013.
The ChewBacca malware is not new, and it is not exclusively used to target POS systems. While not overly complex, the malware does have the ability to log keystrokes and scrape a system’s memory. According to RSA, the memory scanner feature dumps a copy of a process’s memory and searches it for payment card data. If a card number is found, it is extracted and logged by the server, RSA said.
Named ChewBacca - after the character in Star Wars and the name given to one of its functions – Kaspersky Lab pointed out in December that the ChewBacca malware utilizes Tor's anonymity capabilities to shield an attacker’s command and control infrastructure.
RSA’s team also noticed the anonymity feature.
“RSA observed that communication is handled through the TOR network, concealing the real IP address of the Command and Control (C&C) server(s), encrypting traffic, and avoiding network-level detection,” Yotam Gottesman, a Senior Security Researcher at RSA, noted in a blog post. “The server address uses the pseudo-TLD “.onion” that is not resolvable outside of a TOR network and requires a TOR proxy app which is installed by the bot on the infected machine.”
“The ChewBacca Trojan appears to be a simple piece of malware that, despite its lack of sophistication and defense mechanisms, succeeded in stealing payment card information from several dozen retailers around the world in a little more than two months,” Gottesman added.
The attacks have affected at least 41 companies, including one medium-sized retailer and several gas station chains, an RSA executive, who asked not to be named, told Bloomberg's Michael Riley. According to the executive, the attackers in this operation compromised credit-card data for about 50,000 customers.
This campaign does NOT appear to be connected in any way to the recent attack against Target Corporation.
Earlier this month, the FBI issued a warning to U.S. retailers, saying they should prepare for more cyber attacks after discovering roughly 20 cases over the past year that involved point of sale malware.
Additional technical details, including information on how to remove ChewBacca from an infected system, are available from RSA here.
[Updated with additional information from Bloomberg]