Menu
Point-of-sale malware creators still in business with Spark, an Alina spinoff

Point-of-sale malware creators still in business with Spark, an Alina spinoff

Spark is installed by a script written in AutoIt and scrapes card data from the memory of POS terminals

A malware program dubbed Spark that steals payment card data from compromised point-of-sale (POS) systems is likely a modification of an older Trojan called Alina, and highlights a continuing, lucrative business for cybercriminals.

Spark steals card data from a compromised system's RAM (random access memory) when it's being processed by specialized software running on the machine. Similar memory scraping malware was behind large data breaches at numerous retailers over the past two years, including Target, the Home Depot and Neiman Marcus.

Spark gets installed on a system through an AutoIt script that was previously converted into an executable file, according to researchers from security firm Trustwave.

AutoIt is a scripting language for automating Windows graphical user interface interactions.

This distribution method is similar to the one used by another POS malware program called JackPOS, which is why some antivirus vendors detect Spark as JackPOS.

The use of loaders written in scripting languages like AutoIt, Python or Perl to install malware is not new and is a fairly unsophisticated technique. These scripts are converted into executable files that also embed the interpreter needed to execute them on the target system, making their size quite large.

"In this case, however, the script has a binary in a variable that is loaded into dynamic memory and fixes up all the addresses required for execution," the Trustwave researchers said. "This is a much more advanced technique and is reusable with different embedded binaries."

Spark has much more in common with Alina, a family of POS malware that dates back to 2012, than with JackPOS, the Trustwave researchers said. This includes the method used to track infected systems, a black list of system processes that are not being monitored because they're unlikely to handle card data in memory and the method used to obfuscate communication with the command-and-control servers where stolen data is sent.

Previous Alina variants used several legitimate-sounding executable file names, while JackPOS almost exclusively attempted to masquerade as Java or a Java-related utility. Spark, by comparison, runs as a file called hkcmd.exe that is copied in the %APPDATA%\Install\ folder.

"There have been rumors and conjecture about Alina source code being sold off as well as JackPOS being a successor to the Alina code base," the Trustwave researchers said in a blog post Thursday. "The Spark variant shows that someone has been updating the Alina source code recently."

Spark first appeared in late 2013, but was seen active in the wild as recent as a month ago, the Trustwave researchers said.

Infecting POS terminals with malware remains a lucrative business for cybercriminals with new malicious programs that target such systems being found every few months. The most common attack vector against POS devices are stolen or weak remote administration credentials that can be easily discovered using brute force methods.

Some new POS terminals protect card data from malware by encrypting it the moment a customer's card is swiped. However, replacing existing POS systems with newer models that support point-to-point encryption would be costly for many retailers, which is why these attacks are not likely to disappear anytime soon.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags securityfraudmalwaredata breachintrusiontrustwave

Featured

Slideshows

Meet the leading female front runners of the Kiwi channel

Meet the leading female front runners of the Kiwi channel

Reseller News honoured the leading female front runners of the New Zealand channel at the 2018 Women in ICT Awards (WIICTA) in Auckland. The awards honoured standout individuals across seven categories, spanning Entrepreneur; Innovation; Rising Star; Shining Star; Community; Technical and Achievement.

Meet the leading female front runners of the Kiwi channel
Meet the top performing customer-centric Microsoft channel partners

Meet the top performing customer-centric Microsoft channel partners

Microsoft honoured leading partners across the channel following a year of customer innovation and market growth in New Zealand. The 2018 Microsoft Partner Awards recognised excellence within the context of the end-user, spanning a host of emerging and established providers.

Meet the top performing customer-centric Microsoft channel partners
Reseller News launches new-look Awards at 2018 Judges’ Lunch

Reseller News launches new-look Awards at 2018 Judges’ Lunch

Introducing the Reseller News Innovation Awards, launched to the channel at the 2018 Judges’ Lunch in Auckland. With more than 70 judges now part of the voting panel, the new-look awards will reflect the changing dynamics of the channel, recognising excellence across customer value and innovation - spanning start-ups, partners, distributors and vendors.

Reseller News launches new-look Awards at 2018 Judges’ Lunch
Show Comments