Menu
Point-of-sale malware creators still in business with Spark, an Alina spinoff

Point-of-sale malware creators still in business with Spark, an Alina spinoff

Spark is installed by a script written in AutoIt and scrapes card data from the memory of POS terminals

A malware program dubbed Spark that steals payment card data from compromised point-of-sale (POS) systems is likely a modification of an older Trojan called Alina, and highlights a continuing, lucrative business for cybercriminals.

Spark steals card data from a compromised system's RAM (random access memory) when it's being processed by specialized software running on the machine. Similar memory scraping malware was behind large data breaches at numerous retailers over the past two years, including Target, the Home Depot and Neiman Marcus.

Spark gets installed on a system through an AutoIt script that was previously converted into an executable file, according to researchers from security firm Trustwave.

AutoIt is a scripting language for automating Windows graphical user interface interactions.

This distribution method is similar to the one used by another POS malware program called JackPOS, which is why some antivirus vendors detect Spark as JackPOS.

The use of loaders written in scripting languages like AutoIt, Python or Perl to install malware is not new and is a fairly unsophisticated technique. These scripts are converted into executable files that also embed the interpreter needed to execute them on the target system, making their size quite large.

"In this case, however, the script has a binary in a variable that is loaded into dynamic memory and fixes up all the addresses required for execution," the Trustwave researchers said. "This is a much more advanced technique and is reusable with different embedded binaries."

Spark has much more in common with Alina, a family of POS malware that dates back to 2012, than with JackPOS, the Trustwave researchers said. This includes the method used to track infected systems, a black list of system processes that are not being monitored because they're unlikely to handle card data in memory and the method used to obfuscate communication with the command-and-control servers where stolen data is sent.

Previous Alina variants used several legitimate-sounding executable file names, while JackPOS almost exclusively attempted to masquerade as Java or a Java-related utility. Spark, by comparison, runs as a file called hkcmd.exe that is copied in the %APPDATA%\Install\ folder.

"There have been rumors and conjecture about Alina source code being sold off as well as JackPOS being a successor to the Alina code base," the Trustwave researchers said in a blog post Thursday. "The Spark variant shows that someone has been updating the Alina source code recently."

Spark first appeared in late 2013, but was seen active in the wild as recent as a month ago, the Trustwave researchers said.

Infecting POS terminals with malware remains a lucrative business for cybercriminals with new malicious programs that target such systems being found every few months. The most common attack vector against POS devices are stolen or weak remote administration credentials that can be easily discovered using brute force methods.

Some new POS terminals protect card data from malware by encrypting it the moment a customer's card is swiped. However, replacing existing POS systems with newer models that support point-to-point encryption would be costly for many retailers, which is why these attacks are not likely to disappear anytime soon.


Follow Us

Join the newsletter!

Error: Please check your email address.

Tags securityfraudmalwaredata breachintrusiontrustwave

Featured

Slideshows

Kiwi channel closes 2017 with After Hours

Kiwi channel closes 2017 with After Hours

The channel in New Zealand came together to celebrate the close of 2017, as the final After Hours played out in front of a bumper Auckland crowd.

Kiwi channel closes 2017 with After Hours
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP honoured leading partners across the channel at the Partner Awards 2017 in New Zealand, recognising excellence across the entire print and personal systems portfolio.

Meet the top performing HP partners in NZ
Tech industry comes together as Lexel celebrates turning 30

Tech industry comes together as Lexel celebrates turning 30

Leading figures within the technology industry across New Zealand came together to celebrate 30 years of success for Lexel Systems, at a milestone birthday occasion at St Matthews in the City.​

Tech industry comes together as Lexel celebrates turning 30
Show Comments