Vulnerabilities / Threats

11/12/2015
03:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Cherry Picker POS Malware Has Remained Hidden For Four Years

Sophisticated obfuscation techniques have allowed malware to evade AV systems and security vendors for a long time, says Trustwave.

Security and compliance management service provider Trustwave has sounded the alert on what it described as a sophisticated malware tool for stealing credit and debit card data from point-of-sale systems.

The malware, dubbed “Cherry Picker,” has apparently been floating around since 2011. But it has remained largely undetected by antivirus tools and security companies because of the sophisticated techniques it uses to hide itself from sight.

Trustwave described Cherry Picker as being configurable for different purposes and using a new technique for scraping cardholder data from the memory of the POS systems it infects. Cherry Picker’s use of encryption, configuration files, command line arguments, and obfuscation have also allowed the malware to remain undetected for a long time, Trustwave said.

“The introduction of [a] way to parse memory and find [cardholder data], a sophisticated file infector, and a targeted cleaner program have allowed this malware family to go largely unnoticed in the security community,” Trustwave said in a report on the threat to be released Friday.

Attacks on vulnerable point-of-sale (POS) systems have proved to be a very effective way for criminals to steal credit and debit card data in recent years.

Many POS systems store unencrypted cardholder data in memory very briefly before the data is transmitted to the payment processor for approval. Over the years, cyber crooks have developed and perfected malware tools that are capable of searching for this data in the POS system’s memory and siphoning it out using a variety of methods.

In a report last November, security vendor Symantec identified POS malware as one of the most commonly used methods by cyber criminals to steal payment card data. The POS malware threat has been quietly brewing since at least 2005. But it is only with the massive data breaches of 2013 and 2014, which compromised over 100 million payment cards, that the full scope of the problem has become evident, Symantec said. The growing availability of relatively inexpensive, ready-to-use POS malware kits has added to the problem.

One issue with many POS systems is that payment card numbers are not encrypted within the system’s memory -- giving malicious hackers a brief window of opportunity to get at the data. 

While a lot of organizations encrypt cardholder data on the way to the payment processor and while in-transit within its own networks, they don’t do the same with memory-resident data on the POS, the Symantec report noted. Point-to-point encryption and the use of payment systems based on the Europay Mastercard Visa (EMV) smartcard standard can help mitigate this vulnerability, it added.

The author, or authors, of Cherry Picker have kept incrementally upgrading the tool since it first surfaced in 2011. The malware is now in its third generation and is noteworthy for several reasons, says Eric Merritt, a security researcher at Trustwave.

For instance, few other pieces of malware go to the extent that Cherry Picker does in cleaning up after itself, Merritt says. It is rare for malware writers to spend much effort on hiding their tracks once their task is complete. “They are fairly lazy,” in that regard he says. “But this one went to great lengths to make it look it had not infected the system.”

Merritt says it’s hard to know for sure how many merchant systems Cherry Picker might have infected because of how well the malware has evaded detection.

Cherry Picker’s technique of infecting a legitimate file on the POS system and executing from inside the compromised file suggests a high degree of sophistication on the malware author’s part as well, Merritt says. “It is an interesting piece of malware in that it combines simple techniques and extremely sophisticated techniques,” for stealing card data and remaining virtually hidden from detection for the past four or five years.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Government Shutdown Brings Certificate Lapse Woes
Curtis Franklin Jr., Senior Editor at Dark Reading,  1/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3906
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 contains hardcoded credentials in the WCF service on port 9003. An authenticated remote attacker can use these credentials to access the badge system database and modify its contents.
CVE-2019-3907
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores user credentials and other sensitive information with a known weak encryption method (MD5 hash of a salt and password).
CVE-2019-3908
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores backup files as encrypted zip files. The password to the zip is hard-coded and unchangeable. An attacker with access to these backups can decrypt them and obtain sensitive data.
CVE-2019-3909
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 database uses default credentials. Users are unable to change the credentials without vendor intervention.
CVE-2019-3910
PUBLISHED: 2019-01-18
Crestron AM-100 before firmware version 1.6.0.2 contains an authentication bypass in the web interface's return.cgi script. Unauthenticated remote users can use the bypass to access some administrator functionality such as configuring update sources and rebooting the device.