Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Researchers ID New Variant of Alina PoS Malware

Researchers at Trustwave have uncovered a new variant of the Alina point-of-sale (PoS) malware.

Researchers at Trustwave have uncovered a new variant of the Alina point-of-sale (PoS) malware.

Dubbed Spark, the malware differentiates itself from other versions of Alina in a number of ways, including its use of AutoIt as a loader. AutoIt is a BASIC-like scripting language designed for automating the Windows GUI and general scripting.

“Typically compiled scripts are very simplistic,” said Eric Merritt, Security Researcher at Trustwave. “This is a much more advanced use of the technique. Due in-part to the ease of use of AutoIT, attackers can trivially alter the malware’s file signature to avoid AV detection.”

According to Trustwave, the AutoIt script contains functions to allocate space in memory, map a binary into that memory, fix the relocations and Import Address Table and execute the binary. 

“A malicious binary is concatenated into a variable 4,000 bytes at a time and the script’s functions are used to load and execute it,” Trustwave researchers noted in a blog post. “The script is converted into a windows executable by running the utility Aut2Exe, which produces a new binary with the malware inside it.”

Trustwave spotted the variant during an investigation of multiple breaches of automotive repair and maintenance businesses, noted Trustwave spokesperson Abby Ross. Based on the firm’s investigation, the malware appears to have affected businesses across the country.

Alina was first spotted by the security community in late 2012. There are a number of reasons Trustwave links Spark to Alina. For one, Alina has a blacklist of processes that are not scraped for credit card data. Spark has the same black list with additional applications added. Both have the same credit card data finding algorithm and use similar encoding schemes to hide the theft of credit card data. Like all the other versions of Alina, Spark also adds itself to the HKCUSoftwareMicrosoftWindowsCurrentVersionRunhkcmd key in order to maintain persistence through reboot, according to the firm.

Spark also has similarities to the JackPOS malware, including the use of the AutoIt compiled script as a loader.

“Both use similar blacklist approaches as well as custom functions for finding CC data [credit card],” according to Trustwave. “However, JackPOS almost exclusively attempts to masquerade as java or a java utility. It also either copies itself directly into the %APPDATA% directory or into a java based sub-directory inside %APPDATA%. JackPOS uses the MAC address as a bot ID and base64 encodes the CC data found on the system in order to obfuscate the exfiltration.”

In addition to antivirus, retailers should protect themselves by isolating their payment networks, keeping systems responsible for accessing credit card data hardened via strict security policies and disabling any unused services, said Merritt. Network protections such as IDS/IPS and egress filtering can also detect infection and potentially limit automated exfiltration of the stolen credit cards, he added.

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Malware & Threats

A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery.