RSA researchers have uncovered the server infrastructure used in a widespread PoS malware operation responsible for the electronic theft of payment card and personal data from several dozen retailers, mostly based in the US. Infection activity has also been detected in 10 other countries, including Russia, Canada and Australia. Chewbacca, a relatively new trojan, is being used for simple keylogging and memory-scraping functionality within the greater operation.
“The Chewbacca Trojan appears to be a simple piece of malware that, despite its lack of sophistication and defense mechanisms, succeeded in stealing payment card information from several dozen retailers around the world in a little more than two months,” said Yotam Gottesman, a senior security researcher at RSA’s FirstWatch team, in a blog.
Researchers at Kaspersky in December reported the new malware, which makes use of the Tor overlay network to protect the location of a server as well as the identity of the owner. It encrypts traffic and avoids network-level detection that way.
At the time though, it hadn’t yet been operationalized in a widespread way: “Chewbacca is currently not offered in public (underground) forums, unlike other toolkits such as Zeus,” Kaspersky noted. “Maybe this is in development, or the malware is just privately used or shared.”
But Chewie has found its way to a buyer of some kind. RSA researchers discovered that it performs an important part in the broader malware campaign, which the firm said goes as far back as at least October 25, logging track 1 and 2 data from payment cards that it had scraped from infected PoS systems.
Once running, the Chewbacca trojan goes to work with two distinct data-stealing mechanisms: a generic keylogger and a memory scanner designed to specifically target systems that process credit cards, such as PoS systems. The memory scanner dumps a copy of a process’s memory and searches it using simple regular expressions for card magnetic stripe data. If a card number is found, it is extracted and logged by the server.
As for who’s behind the cybertheft, Gottesman said that “before disappearing behind Tor, the controller of this botnet was observed logging into the server from an east European country.”
As for remediation, the trojan is self-contained and runs as-is. It has no dynamic configuration and is non-modular according to RSA’s investigation. After installation, the keylogger creates a file to log keyboard events and window focus changes. RSA said that, as far as it could tell, deleting that file and rebooting will effectively remove Chewbacca from an infected system.
Retailers though have a few choices against these attackers in terms of stopping them to begin with.
“They can increase staffing levels and develop leading-edge capabilities to detect and stop attackers (comprehensive monitoring and incident response), or they can encrypt or tokenize data at the point of capture and ensure that it is not in plaintext view on their networks, thereby shifting the risk and burden of protection to the card issuers and their payment processors,” Gottesman concluded.