Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Soraya Malware Mixes Capabilities of Zeus and Dexter to Target Payment Card Data

Researchers at Arbor Networks have spotted a new family of point-of-sale malware that ties several techniques together in an effort to steal information.

The malware, which has been named Soraya, uses a mix of memory scraping techniques similar to the Dexter malware while intercepting form data sent from web browsers like the Zeus Trojan.

Researchers at Arbor Networks have spotted a new family of point-of-sale malware that ties several techniques together in an effort to steal information.

The malware, which has been named Soraya, uses a mix of memory scraping techniques similar to the Dexter malware while intercepting form data sent from web browsers like the Zeus Trojan.

According to Arbor Networks, thousands of payment cards have been compromised by the malware. The firm was able to access track data from one command and control after the attacker temporarily placed the card data in a publicly accessible location. Arbor Network’s analysis of the track one data revealed that 65.16 percent of the compromised payment cards were issued by financial institutions located in the U.S. Financial institutions in Costa Rica were also heavily affected, and were tied to 21.45 percent of the cards.

MalwareDebit cards were the most prevalent, accounting for nearly 64 percent of the stolen cards. The rest were credit cards, Arbor Networks found.

Matt Bing, research analyst at Arbor Networks, said that the malware was identified by the firm in May. Several other security vendors have added detection for it as well. However, several of those vendors label it with generic terms such as ‘Trojan’ or ‘Dropper’, he said.

“Our analysis should help vendors fine-tune their detections and provide context around a specific threat, i.e. a piece of malware that steals credit cards versus something perhaps more benign,” he told SecurityWeek.

Soraya begins by injecting itself as a thread on a variety of system processes such as Windows Shell explorer.exe. To maintain its persistence, the malware writes a copy of itself into the AppData directory with the name servhost.exe and sets itself to execute with the registry:

keyHKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinServHost.

“New processes launched from the infected explorer.exe shell, notably web browsers, will have Soraya code injected,” blogged Bing and fellow Arbor Networks researcher Dave Loftus. “The malware does this by hooking calls to the ntdll.dll!NtResumeThread() function, which is responsible for process initialization. The function ntdll!NtQueryDirectoryFile() is also hooked to hide displaying the servhost.exe file. Both of these techniques are similar to functionality found in the Zeus family of malware.”

Advertisement. Scroll to continue reading.

“One thread on the system is responsible for scraping memory for credit card data,” the researchers continued. “It does this by creating the mutex POSMainMutex to ensure it is the only thread operating.”

Every five seconds, the thread will iterate through the list of processes with Process32Next() while setting side certain system processes, the researchers explained. It will also check memory regions for every process with VirtualQueryEx(), ignoring those with the PAGE_NOACCESS or PAGE_GUARD values set, and then copy valid memory regions with ReadProcessMemory() and examine them for payment card data.

The Dexter malware family uses a similar technique, the researchers noted.

“After injecting itself, Soraya will check if the new process is a Web browser by locating several unique DLLs,” the researchers blogged. “The functions targeted are those responsible for sending POST data, which are intercepted and sent to the C2 as a ‘mode 4’ message…All POST data is captured, not just payment card information.”

“Soraya hooks these functions by overwriting the function prologue with the instructions PUSH and RET, essentially providing a new saved return address and returning to it,” they blogged.  

“Soraya has clearly taken inspiration from the Dexter and the Zeus families,” they added. “The ‘split brain’ functionality of both memory scraping and form grabbing is Soraya’s most unique trait. In past campaigns, memory scrapers have been uniquely targeted at point-of-sale devices and form grabbers have been uniquely targeted at online bank users.”

*Mike Lennon contributed to this article.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.