Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Researchers ID New Variant of Alina PoS Malware

Researchers at Trustwave have uncovered a new variant of the Alina point-of-sale (PoS) malware.

Researchers at Trustwave have uncovered a new variant of the Alina point-of-sale (PoS) malware.

Dubbed Spark, the malware differentiates itself from other versions of Alina in a number of ways, including its use of AutoIt as a loader. AutoIt is a BASIC-like scripting language designed for automating the Windows GUI and general scripting.

“Typically compiled scripts are very simplistic,” said Eric Merritt, Security Researcher at Trustwave. “This is a much more advanced use of the technique. Due in-part to the ease of use of AutoIT, attackers can trivially alter the malware’s file signature to avoid AV detection.”

According to Trustwave, the AutoIt script contains functions to allocate space in memory, map a binary into that memory, fix the relocations and Import Address Table and execute the binary. 

“A malicious binary is concatenated into a variable 4,000 bytes at a time and the script’s functions are used to load and execute it,” Trustwave researchers noted in a blog post. “The script is converted into a windows executable by running the utility Aut2Exe, which produces a new binary with the malware inside it.”

Trustwave spotted the variant during an investigation of multiple breaches of automotive repair and maintenance businesses, noted Trustwave spokesperson Abby Ross. Based on the firm’s investigation, the malware appears to have affected businesses across the country.

Alina was first spotted by the security community in late 2012. There are a number of reasons Trustwave links Spark to Alina. For one, Alina has a blacklist of processes that are not scraped for credit card data. Spark has the same black list with additional applications added. Both have the same credit card data finding algorithm and use similar encoding schemes to hide the theft of credit card data. Like all the other versions of Alina, Spark also adds itself to the HKCUSoftwareMicrosoftWindowsCurrentVersionRunhkcmd key in order to maintain persistence through reboot, according to the firm.

Spark also has similarities to the JackPOS malware, including the use of the AutoIt compiled script as a loader.

“Both use similar blacklist approaches as well as custom functions for finding CC data [credit card],” according to Trustwave. “However, JackPOS almost exclusively attempts to masquerade as java or a java utility. It also either copies itself directly into the %APPDATA% directory or into a java based sub-directory inside %APPDATA%. JackPOS uses the MAC address as a bot ID and base64 encodes the CC data found on the system in order to obfuscate the exfiltration.”

In addition to antivirus, retailers should protect themselves by isolating their payment networks, keeping systems responsible for accessing credit card data hardened via strict security policies and disabling any unused services, said Merritt. Network protections such as IDS/IPS and egress filtering can also detect infection and potentially limit automated exfiltration of the stolen credit cards, he added.

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.