"JackPOS" malware is masked under Java Update Scheduler
Los Angeles, California - February 10, 2014
According to IntelCrawler, a cyber intelligence firm from Los Angeles, the trend of Point-of-Sales malware after the Target attacks is continuous and constant and ever evolving. A new strain of Point-of-Sale malware named "JackPOS", seemingly based on code from "Alina", was detected several days ago in security community.
The bad actors are using similar tactics and methods by gathering and memory parsing of the of credit card data once inside the merchants system.
According to reverse engineering results, the bad actor distributed several types of malicious code masked as Java(TM) Platform SE binary which then replaced the legit Java Update Scheduler file having its embedded strings in file description. The loading and delivery of the malware is through a "Drive-by" attack.
Some of detected samples use APC Injection from User Space using the API function QueueUserAPC to "svchost.exe". The malware samples are pretty fresh and were created close to the beginning of February. The build path which was detected follows to "C:\Users\ziedpirate.ziedpirate-PC\Desktop\sop\sop\Release".
Several of the found loaders used in detected "Drive-by" download attack are written using obfuscated compiled AutoIt script, which became quite popular method to avoid AV detection in order to unpack additional binary malicious code and execute further instructions received from the C&C server. According to IntelCrawler there are various attack vectors of planting of such kind of malware.The bad actors have used some sophisticated scanning, loading, and propagating techniques to attack these vectors to look to get into the merchants system thru external perimeters and then move to card processing areas, which were possibly not separated in compliance with PCI polices.
It was found that some of the victims were compromised more then 17 days ago and the geography of attack was targeted on the Brazil, Canada, France, India, Spain and the US. Even so, quite large number of credit cards was found as compromised from other countries, including Argentina and Korea, as lots of people used infected Point-of-Sales terminals being in other countries, which makes such kind of cybercrime invisible from end customers view and transnational. IntelCrawler's threat intelligence team released a global map of Point-of-Sales infections based on detected malware geographical distribution, including JackPOS compromised hosts.
- Xylitol (http://www.xylibox.com)
- MalwareMustDie! (http://malwaremustdie.org/)
IntelCrawler.com is a multi-tier intelligence aggregator, which gathers information and cyber prints from a starting big data pool of over 3, 000, 000, 000 IPv4 and over 200, 000, 000 domain names, which are scanned for analytics and dissemination to drill down to a desired result. This finite pool of cyber prints is then narrowed further by comparing it to various databases and forum intelligence gathered from the underground and networked security company contacts. The final result could be the location of a particular keyboard or a computer housing the threat.