In the wake of a large-scale attack on point-of-sale (PoS) systems at retailer Target, new malware designed to steal payment card data from the sales systems was released earlier this month.
Security researchers from cybercrime intelligence firm IntelCrawler identified a PoS RAM (random access memory) scraping program dubbed Decebal that they believe was released on Jan. 3. The release shows that cybercriminals are increasingly interested in launching this type of attack.
The malware is written in VBScript (Visual Basic Scripting) in less than 400 lines of code. Despite looking fairly unsophisticated, it can grab track 2 data -- data encrypted on the magnetic stripe of credit or debit cards -- from PoS memory and contains routines to evade malware analysis tools, like antivirus sandboxes and virtual machines.
The use of a scripting language to create malware is not unusual, but is highly uncommon for this particular type of threat. Andrey Komarov, CEO of IntelCrawler, said this is the first time he's seen PoS malware written in VBScript.
Using this language provide some benefits, like portability, as it works by default in all Windows versions since Windows 98 and doesn't require a separate interpreter. Many PoS systems run a version of Windows Embedded.
VBScript is also commonly used by Windows system administrators to automate different tasks and can be called by other scripts and programs, which could make this particular malware inconspicuous, Komarov said.
Decebal sends the stolen card data to a command-and-control server, particularly to a single 44-line PHP script running on a Web server that sorts the information and stores it.
Various text strings found in the malware code suggest its authors are likely Romanian, the IntelCrawler researchers said in a blog post. The name chosen by its creators also points in this direction, Decebal being the Romanian name of Dacian king Decebalus, an important figure in Romanian history.
Bogdan Botezatu, a senior e-threat analyst at Romanian antivirus firm Bitdefender, agreed with IntelCrawler's assessment of the malware's origins. "Most of the strings, functions and variable names are clearly Romanian words so chances are that the malware has been written by a Romanian citizen," he said Friday via email.
There were at least four separate strains of PoS RAM scraping malware developed in the past year, Botezatu said. "This shows a pattern, and we expect that cybercriminals will continue to use them as long as they work."
The Target data breach, which resulted in the compromise of 40 million credit and debit cards, involved malware being installed on PoS terminals. A separate credit card breach was confirmed last week at high-end retailer Neiman Marcus and there are reports of other, as yet undisclosed, retailers being compromised in a similar way.
Many PoS systems are becoming increasingly interconnected while their underlying OS is growing older and older, Botezatu said. "Most PoS malware we analyzed had little to no obfuscation or polymorphic capabilities because their creators don't expect to see any antivirus solution in place. Maybe it's time to take the same approach with Windows-based PoS devices like we do with Windows-based computers."
RAM scraping malware steals card data while it's passed in cleartext from the card reader to the payment software running on PoS systems, which then encrypts it and sends it with the transaction request to the external payment processing service. A solution to RAM scraping attacks is hardware-based encryption done directly on the card readers rather than in the PoS software.
Retailers should also use technology that can monitor application and process changes on all their payment processing systems, Levi Gundert, a threat researcher at Cisco Systems, said in a blog post. "Any change on the end point or multiple end points should be cause for immediate analysis."