Retailers Hit By ‘ChewBacca’ Malware

A criminal group has used custom-built malicious software, named “ChewBacca”, to infect systems at more than 45 retailers and steal their customers’ credit- and debit-card details, according to an analysis published by security firm RSA.

Once installed, the ChewBacca malware monitors the memory of running processes and checks for data that matches the format of credit and debit cards. The software, also known as a RAM scraper, is similar, but not identical, to the one used in the attacks that stole 40 million payment-card accounts from Target and more than a million accounts from Neiman Marcus, Uri Fleyder, cyber-crime research lab manager at RSA, told eWEEK.

Point-of-sale keylogger

“It is a keylogger, but, besides being that, it is also targeting POS (point-of-sale) terminals,” he said. “We reverse engineered the malware and found that it was searching for credit-card numbers.”

The attacks on Target and Neiman Marcus have highlighted the danger of malware that targets point-of-sale systems. While payment card details are encrypted when stored and being communicated, the information is decrypted in the POS terminal’s memory, giving programs that can access that memory a perfect way to bypass the security surrounding the card numbers.

The attacks on retailers using ChewBacca appear to date back to October 2013, according to RSA’s analysis.

The malware appears to be used by a single group, likely based in the Ukraine, that has targeted retailers for their lax security, he said. While POS systems are typically dedicated to processing payments at retailers, they are – in all other ways – standard computers, usually running an outdated operating system, such as Windows XP.

“Those terminals are practically unprotected,” Fleyder said. “I don’t know why but the retailers do not pay much attention to their point-of-sale terminals.”

The ChewBacca malware was first mentioned in a blog post by security firm Kaspersky Lab, who analysed the malware and discovered that it used the TOR network to mask its traffic. The TOR network is a peer-to-peer network designed to anonymise communications and enhance privacy. In September 2013, the Mevade botnet began using the Tor network to obfuscate its communications, causing a massive spike in traffic on the network.

Retailers infected

The ChewBacca malware lacks sophistication and has no defensive measures to help it hide from reverse engineers, but it was still able to infect a large number of retailers, RSA’s Fleyder said. In its analysis, the company stressed that retailers, who lack security expertise, have a hard time defending against cyber-attacks.

“They can increase staffing levels and develop leading-edge capabilities to detect and stop attackers – (such as) comprehensive monitoring and incident response – or they can encrypt or tokenise data at the point of capture and ensure that it is not in plaintext view on their networks, thereby shifting the risk and burden of protection to the card issuers and their payment processors,” the company stated.

Are you a security pro? Try our quiz!

Originally published on eWeek.