Researchers at Trustwave have uncovered a new variant of the Alina point-of-sale (PoS) malware.
Dubbed Spark, the malware differentiates itself from other versions of Alina in a number of ways, including its use of AutoIt as a loader. AutoIt is a BASIC-like scripting language designed for automating the Windows GUI and general scripting.
“Typically compiled scripts are very simplistic,” said Eric Merritt, Security Researcher at Trustwave. “This is a much more advanced use of the technique. Due in-part to the ease of use of AutoIT, attackers can trivially alter the malware’s file signature to avoid AV detection.”
According to Trustwave, the AutoIt script contains functions to allocate space in memory, map a binary into that memory, fix the relocations and Import Address Table and execute the binary.
“A malicious binary is concatenated into a variable 4,000 bytes at a time and the script’s functions are used to load and execute it,” Trustwave researchers noted in a blog post. “The script is converted into a windows executable by running the utility Aut2Exe, which produces a new binary with the malware inside it.”
Trustwave spotted the variant during an investigation of multiple breaches of automotive repair and maintenance businesses, noted Trustwave spokesperson Abby Ross. Based on the firm’s investigation, the malware appears to have affected businesses across the country.
Alina was first spotted by the security community in late 2012. There are a number of reasons Trustwave links Spark to Alina. For one, Alina has a blacklist of processes that are not scraped for credit card data. Spark has the same black list with additional applications added. Both have the same credit card data finding algorithm and use similar encoding schemes to hide the theft of credit card data. Like all the other versions of Alina, Spark also adds itself to the HKCUSoftwareMicrosoftWindowsCurrentVersionRunhkcmd key in order to maintain persistence through reboot, according to the firm.
Spark also has similarities to the JackPOS malware, including the use of the AutoIt compiled script as a loader.
“Both use similar blacklist approaches as well as custom functions for finding CC data [credit card],” according to Trustwave. “However, JackPOS almost exclusively attempts to masquerade as java or a java utility. It also either copies itself directly into the %APPDATA% directory or into a java based sub-directory inside %APPDATA%. JackPOS uses the MAC address as a bot ID and base64 encodes the CC data found on the system in order to obfuscate the exfiltration.”
In addition to antivirus, retailers should protect themselves by isolating their payment networks, keeping systems responsible for accessing credit card data hardened via strict security policies and disabling any unused services, said Merritt. Network protections such as IDS/IPS and egress filtering can also detect infection and potentially limit automated exfiltration of the stolen credit cards, he added.