Menu
Point-of-sale malware creators still in business with Spark, an Alina spinoff

Point-of-sale malware creators still in business with Spark, an Alina spinoff

Spark is installed by a script written in AutoIt and scrapes card data from the memory of POS terminals

A malware program dubbed Spark that steals payment card data from compromised point-of-sale (POS) systems is likely a modification of an older Trojan called Alina, and highlights a continuing, lucrative business for cybercriminals.

Spark steals card data from a compromised system's RAM (random access memory) when it's being processed by specialized software running on the machine. Similar memory scraping malware was behind large data breaches at numerous retailers over the past two years, including Target, the Home Depot and Neiman Marcus.

Spark gets installed on a system through an AutoIt script that was previously converted into an executable file, according to researchers from security firm Trustwave.

AutoIt is a scripting language for automating Windows graphical user interface interactions.

This distribution method is similar to the one used by another POS malware program called JackPOS, which is why some antivirus vendors detect Spark as JackPOS.

The use of loaders written in scripting languages like AutoIt, Python or Perl to install malware is not new and is a fairly unsophisticated technique. These scripts are converted into executable files that also embed the interpreter needed to execute them on the target system, making their size quite large.

"In this case, however, the script has a binary in a variable that is loaded into dynamic memory and fixes up all the addresses required for execution," the Trustwave researchers said. "This is a much more advanced technique and is reusable with different embedded binaries."

Spark has much more in common with Alina, a family of POS malware that dates back to 2012, than with JackPOS, the Trustwave researchers said. This includes the method used to track infected systems, a black list of system processes that are not being monitored because they're unlikely to handle card data in memory and the method used to obfuscate communication with the command-and-control servers where stolen data is sent.

Previous Alina variants used several legitimate-sounding executable file names, while JackPOS almost exclusively attempted to masquerade as Java or a Java-related utility. Spark, by comparison, runs as a file called hkcmd.exe that is copied in the %APPDATA%\Install\ folder.

"There have been rumors and conjecture about Alina source code being sold off as well as JackPOS being a successor to the Alina code base," the Trustwave researchers said in a blog post Thursday. "The Spark variant shows that someone has been updating the Alina source code recently."

Spark first appeared in late 2013, but was seen active in the wild as recent as a month ago, the Trustwave researchers said.

Infecting POS terminals with malware remains a lucrative business for cybercriminals with new malicious programs that target such systems being found every few months. The most common attack vector against POS devices are stolen or weak remote administration credentials that can be easily discovered using brute force methods.

Some new POS terminals protect card data from malware by encrypting it the moment a customer's card is swiped. However, replacing existing POS systems with newer models that support point-to-point encryption would be costly for many retailers, which is why these attacks are not likely to disappear anytime soon.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags intrusiontrustwavesecuritydata breachmalwarefraud

Featured

Slideshows

Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow Electronics introduced Tenable Network Security to local resellers in Sydney last week, officially launching the distributor's latest security partnership across Australia and New Zealand. Representing the first direct distribution agreement locally for Tenable specifically, the deal sees Arrow deliver security solutions directly to mid-market and enterprise channel partners on both sides of the Tasman.

Arrow exclusively introduces Tenable Network Security to A/NZ channel
Examining the changing job scene in the Kiwi channel

Examining the changing job scene in the Kiwi channel

Typically, the New Year brings new opportunities for personnel within the Kiwi channel. 2017 started no differently, with a host of appointments, departures and reshuffles across vendor, distributor and reseller businesses. As a result, the job scene across New Zealand has changed - here’s a run down of who is working where in the year ahead…

Examining the changing job scene in the Kiwi channel
​What are the top 10 tech trends for New Zealand in 2017?

​What are the top 10 tech trends for New Zealand in 2017?

Digital Transformation (DX) has been a critical topic for business over the last few years and IDC is now predicting a step change as DX reaches macroeconomic levels. By 2020 a DX economy will emerge and it will become the core of what New Zealand industries focus on. From the board level through to the C-Suite, Kiwi organisations must be prepared to think and act digital when the DX economy emerges in 2017.

​What are the top 10 tech trends for New Zealand in 2017?
Show Comments