Security Experts:

Soraya Malware Mixes Capabilities of Zeus and Dexter to Target Payment Card Data

Researchers at Arbor Networks have spotted a new family of point-of-sale malware that ties several techniques together in an effort to steal information.

The malware, which has been named Soraya, uses a mix of memory scraping techniques similar to the Dexter malware while intercepting form data sent from web browsers like the Zeus Trojan.

According to Arbor Networks, thousands of payment cards have been compromised by the malware. The firm was able to access track data from one command and control after the attacker temporarily placed the card data in a publicly accessible location. Arbor Network's analysis of the track one data revealed that 65.16 percent of the compromised payment cards were issued by financial institutions located in the U.S. Financial institutions in Costa Rica were also heavily affected, and were tied to 21.45 percent of the cards.

MalwareDebit cards were the most prevalent, accounting for nearly 64 percent of the stolen cards. The rest were credit cards, Arbor Networks found.

Matt Bing, research analyst at Arbor Networks, said that the malware was identified by the firm in May. Several other security vendors have added detection for it as well. However, several of those vendors label it with generic terms such as 'Trojan' or 'Dropper', he said.

"Our analysis should help vendors fine-tune their detections and provide context around a specific threat, i.e. a piece of malware that steals credit cards versus something perhaps more benign," he told SecurityWeek.

Soraya begins by injecting itself as a thread on a variety of system processes such as Windows Shell explorer.exe. To maintain its persistence, the malware writes a copy of itself into the AppData directory with the name servhost.exe and sets itself to execute with the registry:


"New processes launched from the infected explorer.exe shell, notably web browsers, will have Soraya code injected," blogged Bing and fellow Arbor Networks researcher Dave Loftus. "The malware does this by hooking calls to the ntdll.dll!NtResumeThread() function, which is responsible for process initialization. The function ntdll!NtQueryDirectoryFile() is also hooked to hide displaying the servhost.exe file. Both of these techniques are similar to functionality found in the Zeus family of malware."

"One thread on the system is responsible for scraping memory for credit card data," the researchers continued. "It does this by creating the mutex POSMainMutex to ensure it is the only thread operating."

Every five seconds, the thread will iterate through the list of processes with Process32Next() while setting side certain system processes, the researchers explained. It will also check memory regions for every process with VirtualQueryEx(), ignoring those with the PAGE_NOACCESS or PAGE_GUARD values set, and then copy valid memory regions with ReadProcessMemory() and examine them for payment card data.

The Dexter malware family uses a similar technique, the researchers noted.

"After injecting itself, Soraya will check if the new process is a Web browser by locating several unique DLLs," the researchers blogged. "The functions targeted are those responsible for sending POST data, which are intercepted and sent to the C2 as a 'mode 4' message…All POST data is captured, not just payment card information."

"Soraya hooks these functions by overwriting the function prologue with the instructions PUSH and RET, essentially providing a new saved return address and returning to it," they blogged.  

"Soraya has clearly taken inspiration from the Dexter and the Zeus families," they added. "The 'split brain' functionality of both memory scraping and form grabbing is Soraya’s most unique trait. In past campaigns, memory scrapers have been uniquely targeted at point-of-sale devices and form grabbers have been uniquely targeted at online bank users."

*Mike Lennon contributed to this article.

view counter