"Decebal" Point-of-Sale Malware - 400 Lines of VBScript Code from Romania, Researchers warns about evolution of threats and interests to modern retailers

Los Angeles, California - January 16, 2014


Security researchers from IntelCrawler, a Los Angeles based cyber intelligence company, found new Point-of-Sale malware which is totally written on VBScript, which makes it quite unique. Visual Basic Scripting is an active scripting language developed by Microsoft that is modeled on Visual Basic. It may be used for large range of Microsoft Windows environments, that's why the malware is adapted to be used on Windows 95, Windows 98, Windows Millenium, Windows NT 3.51, Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows 7 and Windows 8.

The "Decebal" malware uses Windows Management Interface (WMI) in order to perform some antivirus bypass techniques and system information collection. "The functional code is less than 400 lines of code, which shows the evolution of Point-of-Sale malware. Past incidents in retailers, such as Target and Neiman Marcus, show that this niche has become one of the most attractive for modern cyber criminals. The compact code allows for the securing of credit cards at the point of sale", said Dan Clements, President of IntelCrawler.

There are also some checks on sandboxing and reverse engineering software presence on the victim's system, including Sandboxie, WinDbg, Buster Sandbox Analyzer, VMware, Joe Sandbox Desktop and ThreatAnalyzer Features (formerly CWSandbox).

A collection of tracks is organized by using developed functions for process memory reading by signatures and internal VBScript functions for manipulations with virtual memory.

The authors have also written a Luhn algorithm to validate credit cards numbers in VBScript, used together with regular expression for RAM memory scrapping by a predefined Track 2 template which scans the process listing with functions like CreateToolhelp32Snapshot and Process32Next.

Also found was Track 2 validation software, used by bad actors to check received compromised data by the first 6 digits (BIN), which has some phrases and text strings in Romanian, pointing to the original roots of possible authors. The monument of King Decebal or Decebalus was completed in 2004 and overlooks the Danube, the river in Central Europe - the greater part of the Danube Delta lies in Romania (Tulcea county). Decebal (Moldova Veche) Island or Ostrovul Decebal (Moldova Veche) is also an island on the Danube, in Romania.

According to Intelcrawler, the malware was released by cybercriminals on January 3 2014, and one of the domains where they stored source codes was also found - http://order-trade.net, registered to an anonymous person protected by WhoisGuard (Panama).

It has very compact C&C acting as a gate for receiving compromised data from infected Point-of-Sales, which is written in only 44 lines of programming code on PHP:

The detection ratio for functional scripting code for today is 0/47 according to VirusTotal:

Download sample (32 KB)

"The code is pretty portable. Scripting language is a great advantage for easy infection of the Point-of-Sales and is more flexible than binaries. This example shows that modern retailers' environments can be faced with such a threat and bad actors don't need to do a lot of efforts for it", - comments Andrew Komarov, Chief Executive Officer of IntelCrawler.

About IntelCrawler

IntelCrawler.com is a multi-tier intelligence aggregator, which gathers information and cyber prints from a starting big data pool of over 3, 000, 000, 000 IPv4 and over 200, 000, 000 domain names, which are scanned for analytics and dissemination to drill down to a desired result. This finite pool of cyber prints is then narrowed further by comparing it to various databases and forum intelligence gathered from the underground and networked security company contacts. The final result could be the location of a particular keyboard or a computer housing the threat.