Point-of-sale malware creators still in business with Spark, an Alina spinoff

Spark is installed by a script written in AutoIt and scrapes card data from the memory of POS terminals

A malware program dubbed Spark that steals payment card data from compromised point-of-sale (POS) systems is likely a modification of an older Trojan called Alina, and highlights a continuing, lucrative business for cybercriminals.

Spark steals card data from a compromised system's RAM (random access memory) when it's being processed by specialized software running on the machine. Similar memory scraping malware was behind large data breaches at numerous retailers over the past two years, including Target, the Home Depot and Neiman Marcus.

Spark gets installed on a system through an AutoIt script that was previously converted into an executable file, according to researchers from security firm Trustwave.

AutoIt is a scripting language for automating Windows graphical user interface interactions.

This distribution method is similar to the one used by another POS malware program called JackPOS, which is why some antivirus vendors detect Spark as JackPOS.

The use of loaders written in scripting languages like AutoIt, Python or Perl to install malware is not new and is a fairly unsophisticated technique. These scripts are converted into executable files that also embed the interpreter needed to execute them on the target system, making their size quite large.

"In this case, however, the script has a binary in a variable that is loaded into dynamic memory and fixes up all the addresses required for execution," the Trustwave researchers said. "This is a much more advanced technique and is reusable with different embedded binaries."

Spark has much more in common with Alina, a family of POS malware that dates back to 2012, than with JackPOS, the Trustwave researchers said. This includes the method used to track infected systems, a black list of system processes that are not being monitored because they're unlikely to handle card data in memory and the method used to obfuscate communication with the command-and-control servers where stolen data is sent.

Previous Alina variants used several legitimate-sounding executable file names, while JackPOS almost exclusively attempted to masquerade as Java or a Java-related utility. Spark, by comparison, runs as a file called hkcmd.exe that is copied in the %APPDATA%\Install\ folder.

"There have been rumors and conjecture about Alina source code being sold off as well as JackPOS being a successor to the Alina code base," the Trustwave researchers said in a blog post Thursday. "The Spark variant shows that someone has been updating the Alina source code recently."

Spark first appeared in late 2013, but was seen active in the wild as recent as a month ago, the Trustwave researchers said.

Infecting POS terminals with malware remains a lucrative business for cybercriminals with new malicious programs that target such systems being found every few months. The most common attack vector against POS devices are stolen or weak remote administration credentials that can be easily discovered using brute force methods.

Some new POS terminals protect card data from malware by encrypting it the moment a customer's card is swiped. However, replacing existing POS systems with newer models that support point-to-point encryption would be costly for many retailers, which is why these attacks are not likely to disappear anytime soon.

Join the CSO newsletter!

Error: Please check your email address.

Tags intrusiontrustwavesecuritydata breachmalwarefraud

More about Home DepotTrustwave

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place