Thursday, April 4, 2019
Home / Malware / ChewBacca’s Malware Infrastructure uncovered

ChewBacca’s Malware Infrastructure uncovered

RSA’s security experts discovered that through this operation, attackers utilized the ChewBacca Trojan to grab Track 1 and Track 2 info from payment cards swiped through infected PoS systems going back to Oct. 25, 2013.

ChewBacca  isn’t new, and it’s also not solely employed to target POS systems. The malware comes with the cabability to log keystrokes and scrape a system’s memory. In accordance with the RSA, the memory scanner feature dumps a reproduction of the system’s process  memory and searches it for payment card data. If a card number is found, it is extracted and recorded by the server, the RSA stated.

This specific piece of malware also applies the TOR network to hide it’s command-and-control servers pointed out in December by Kaspersky Labs.

“RSA observed that communication is handled through the TOR network, concealing the real IP address of the Command and Control (C&C) server(s), encrypting traffic, and avoiding network-level detection,” Yotam Gottesman, a Senior Security Researcher at RSA, said in a blog post. “The server address uses the pseudo-TLD “.onion” that is not resolvable outside of a TOR network and requires a TOR proxy app which is installed by the bot on the infected machine.”

“The ChewBacca Trojan appears to be a simple piece of malware that, despite its lack of sophistication and defense mechanisms, succeeded in stealing payment card information from several dozen retailers around the world in a little more than two months,” Gottesman mentioned.

The attacks have impacted no less than 41 companies, which includes one medium-sized retailer and lots of gas station chains, an RSA executive, who requested to not be named, Based on the executive, the attackers within this operation compromised credit-card data for around 50,000 customers.

To clarify, this campaign doesn’t seem to be linked by any means to the recent attack against Target Corporation.

About FastFlux

Owner of ZeroSecurity, interested in programming, malware analysis and penetration testing. If you would like to write for the ZeroSecurity team, please use the contact form above.

Check Also

Silent OS 3.0 for Blackphone Completely revamped

Version 3.0 migrates Silent OS to Android Marshmallow 6.0.1 and delivers the Android safety patch …