A variant of the Alina malware, used to scrape credit card (CC) data from point of sale (POS) software, has been rampaging its way through the wild lately—using a sophisticated twist in approach that involves AutoIT.
The variant—dubbed Spark—first reared its head in late 2013 but got active again in the last month. It’s a bit of a missing link, showing possible relationships and evolution between two different malwares. Some researchers have identified it as a different malware called JackPOS, but according to Trustwave SpiderLabs researcher Eric Merritt, this variant is its own separate ball of badness.
“It is clear that Alina, JackPOS, and this variant all bear close resemblances to each other, but there are behavioral differences that distinguish this version from the others,” Merritt said, in an analysis.
The first and most interesting link between JackPOS and the Spark variant is that several of the samples have been found embedded in a compiled AutoIt script, which is used as a malware loader.
Back in May 2013 Trend Micro noted that AutoIT was on the rise as a go-to development language for malware, citing its “ridiculously easy” user experience that allows for quick coding. It enables everything from simple scripts that change text files to scripts that perform mass downloads with complex GUIs. One commonly seen nefarious AutoIT tool code was observed being uploaded to Pastebin as a key logger—evidence, the firm said, that AutoIT was going to break out in a big way.
In Spark’s case, a malicious binary is concatenated into a variable 4,000 bytes at a time and the script's functions are used to load and execute it. The script is converted into a Windows executable by running the utility Aut2Exe, which produces a new binary with the malware inside it.
Malware authors writing scripts to execute another binary on the system usually compile them using Aut2exe for AutoIt, py2exe for python or perl2exe for perl, which all have interpreters; this approach generally results in wide-net, unsophisticated malware. Spark, however, is different.
“In this case…the script has a binary in a variable that is loaded into dynamic memory and fixes up all the addresses required for execution,” Merritt said. “This is a much more advanced technique and is reusable with different embedded binaries.”
The use of the AutoIt compiled script as a loader is a technique that is used with both JackPOS and Spark—and there are several other similar techniques that relate them.
“Both use similar blacklist approaches as well as custom functions for finding CC data,” Merritt said. For instance, he found that while previous versions of Alina include a black list of processes that are not scraped for card data, Spark adds additional applications to the list that are highly unlikely to contain credit card data, like system and common processes.
However, JackPOS almost exclusively attempts to masquerade as Java or a Java utility. It also uses the MAC address as a bot ID and base64 encodes the credit-card data found on the system in order to obfuscate the exfiltration.
“It seems fairly clear that these are two different variants,” Merritt said. “So while these two samples appear to be related, Spark bears a much stronger resemblance to Alina than JackPOS.”
The analysis overall points to the Alina source code being updated recently, and supports the theory that JackPOS is a successor to the Alina code base.
“The use of AutoIt as a loader for both Spark and JackPOS variants indicate that it could have potentially been a version between the transition from Alina to JackPOS,” Merritt said.