Senior security researcher at RSA's FirstWatch team Yotam Gottesman reported the campaign in a blog post, confirming that it is active in at least 10 countries.
"In a recent investigation, RSA researchers uncovered the server infrastructure used in a global point-of-sale (PoS) malware operation responsible for the electronic theft of payment card and personal data from several dozen retailers, mostly based in the US. Infection activity has also been detected in 10 other countries including Russia, Canada and Australia," read the post.
The campaign was reportedly originally uncovered by RSA in October 2013 and uses a dangerous new Trojan, codenamed "ChewBacca," to steal the information. The malware uses a two-tier strategy to steal the information and connect the infected machine to a botnet owned by its authors.
"ChewBacca features two distinct data-stealing mechanisms: a generic keylogger and a memory scanner designed to specifically target systems that process credit cards, such as point-of-sale (POS) systems," read the post.
"The memory scanner dumps a copy of a process's memory and searches it using simple regular expressions for card magnetic stripe data. If a card number is found, it is extracted and logged by the server."
It is currently unknown which companies ChewBacca managed to successfully infiltrate and at the time of publishing RSA had not responded to V3's request for comment.
Gottesman said ChewBacca is difficult to track as it uses the anonymous Tor network to communicate with its command and control (C&C) servers. "RSA observed that communication is handled through the Tor network, concealing the real IP address of the C&Cs, encrypting traffic and avoiding network-level detection," read the post.
He added despite the difficulty, evidence suggests it stemmed from Eastern Europe. "Before disappearing behind TOR, the controller of this botnet was observed logging into the server from an east European country," he explained.
ChewBacca is one of many malicious, data-stealing campaigns to be linked to Eastern European hackers in recent years. US security firm CrowdStrike reported uncovering an operation, codenamed Energetic Bear, stealing data from the energy sector earlier in January.
No comments:
Post a Comment