Researchers at Trustwave SpiderLabs finds Spark samples are embedded in compiled AutoIt script.
Researchers at Trustwave SpiderLabs finds Spark samples are embedded in compiled AutoIt script.

A variant of the Alina malware family that first appeared in late 2013 and has been observed in the wild as recently as last month, also shares traits with JackPOS but exhibits some distinct “behavioral differences” from those versions, according to researchers at Trustwave's SpiderLabs.

Dubbed Spark by Trustwave security researcher Eric Merritt, the variant is unique in the way several samples are “embedded in a compiled AutoIt script, which then loads the malware into memory,” he wrote in a Thursday blog post.

“The script has a binary in a variable that is loaded into dynamic memory and fixes up all the addresses required for execution,” Merritt wrote. “Like all such loaders, the binary is initially obfuscated artifacts such as strings and import tables from the malicious binary.”

While the Trustwave researcher told in a Thursday email correspondence that AutoIt, a freeware scripting language that resembles BASIC and is geared for both automating the Windows GUI as well as general scripting, “has been used for malware in the past in a very simple, unsophisticated manner,” the way Spark uses AutoIt “to perform memory loading is a much more difficult process.”

Since the loader is modular, it “can be used with any malware it wants with a simple copy and paste,” he said. “Attackers can easily alter the malware's file signature to avoid AV detection.”

Ultimately, the technique “makes it simple to quickly deploy different malware with different signatures,” said Merritt.

Spark also differs from Alina in Startup and in the way that it uses black lists. While the newer variant uses the same black list employed by Alina for processes “not scraped for CC data” it adds more applications, Merritt wrote.

The final two differences in this variant have to do with communication with the C&C server.  Where previous versions used “Alina vx.x” as the User-Agent, Spark now uses “something that is supposed to look legitimate,” Merritt wrote.

While “the POST data communication with the C&C server retains the same structure as Alina from v5.2 on, however, Spark chose to reverse the order of the XOR scheme used,” the blog said.