A variant of the Alina malware family that first appeared in late 2013 and has been observed in the wild as recently as last month, also shares traits with JackPOS but exhibits some distinct “behavioral differences” from those versions, according to researchers at Trustwave's SpiderLabs.
Dubbed Spark by Trustwave security researcher Eric Merritt, the variant is unique in the way several samples are “embedded in a compiled AutoIt script, which then loads the malware into memory,” he wrote in a Thursday blog post.
“The script has a binary in a variable that is loaded into dynamic memory and fixes up all the addresses required for execution,” Merritt wrote. “Like all such loaders, the binary is initially obfuscated artifacts such as strings and import tables from the malicious binary.”
While the Trustwave researcher told SCMagazine.com in a Thursday email correspondence that AutoIt, a freeware scripting language that resembles BASIC and is geared for both automating the Windows GUI as well as general scripting, “has been used for malware in the past in a very simple, unsophisticated manner,” the way Spark uses AutoIt “to perform memory loading is a much more difficult process.”
Since the loader is modular, it “can be used with any malware it wants with a simple copy and paste,” he said. “Attackers can easily alter the malware's file signature to avoid AV detection.”
Ultimately, the technique “makes it simple to quickly deploy different malware with different signatures,” said Merritt.
Spark also differs from Alina in Startup and in the way that it uses black lists. While the newer variant uses the same black list employed by Alina for processes “not scraped for CC data” it adds more applications, Merritt wrote.
The final two differences in this variant have to do with communication with the C&C server. Where previous versions used “Alina vx.x” as the User-Agent, Spark now uses “something that is supposed to look legitimate,” Merritt wrote.
While “the POST data communication with the C&C server retains the same structure as Alina from v5.2 on, however, Spark chose to reverse the order of the XOR scheme used,” the blog said.
Spark also shares techniques with JackPOS, including the use of AutoIt compiled script as a loader, “similar blacklist approaches as well as custom functions for finding CC data,” the blog said. “However, JackPOS almost exclusively attempts to masquerade as java or a java utility.”
SpiderLabs' findings show “someone has been updating the Alina source code recently,” Merritt wrote. “The Spark string that shows up in both the named pipe and the POST communication shows an obvious distinction from previous Alina versions.”
The Spark variant is similar to other POS memory scrapers in that it “can steal payment card information from any POS system it's installed on,” but the variant and other versions of Alina, “have the ability to update themselves. So the threat level can change at any time,” Merritt told SCMagazine.com. “Also, any time attackers have access to a system they have the ability to affect it.”
To protect themselves against Spark and similar malware, “businesses should isolate their payment networks and keep their systems responsible for accessing payment card data hardened by applying strict security policies such as strong passwords and disabling any unused services,” Merritt said. “Network protections such as IDS/IPS and Egress Filtering can also detect infection and potentially limit automated exfiltration of the stolen credit cards.”