Vulnerabilities / Threats

11/12/2015
03:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Cherry Picker POS Malware Has Remained Hidden For Four Years

Sophisticated obfuscation techniques have allowed malware to evade AV systems and security vendors for a long time, says Trustwave.

Security and compliance management service provider Trustwave has sounded the alert on what it described as a sophisticated malware tool for stealing credit and debit card data from point-of-sale systems.

The malware, dubbed “Cherry Picker,” has apparently been floating around since 2011. But it has remained largely undetected by antivirus tools and security companies because of the sophisticated techniques it uses to hide itself from sight.

Trustwave described Cherry Picker as being configurable for different purposes and using a new technique for scraping cardholder data from the memory of the POS systems it infects. Cherry Picker’s use of encryption, configuration files, command line arguments, and obfuscation have also allowed the malware to remain undetected for a long time, Trustwave said.

“The introduction of [a] way to parse memory and find [cardholder data], a sophisticated file infector, and a targeted cleaner program have allowed this malware family to go largely unnoticed in the security community,” Trustwave said in a report on the threat to be released Friday.

Attacks on vulnerable point-of-sale (POS) systems have proved to be a very effective way for criminals to steal credit and debit card data in recent years.

Many POS systems store unencrypted cardholder data in memory very briefly before the data is transmitted to the payment processor for approval. Over the years, cyber crooks have developed and perfected malware tools that are capable of searching for this data in the POS system’s memory and siphoning it out using a variety of methods.

In a report last November, security vendor Symantec identified POS malware as one of the most commonly used methods by cyber criminals to steal payment card data. The POS malware threat has been quietly brewing since at least 2005. But it is only with the massive data breaches of 2013 and 2014, which compromised over 100 million payment cards, that the full scope of the problem has become evident, Symantec said. The growing availability of relatively inexpensive, ready-to-use POS malware kits has added to the problem.

One issue with many POS systems is that payment card numbers are not encrypted within the system’s memory -- giving malicious hackers a brief window of opportunity to get at the data. 

While a lot of organizations encrypt cardholder data on the way to the payment processor and while in-transit within its own networks, they don’t do the same with memory-resident data on the POS, the Symantec report noted. Point-to-point encryption and the use of payment systems based on the Europay Mastercard Visa (EMV) smartcard standard can help mitigate this vulnerability, it added.

The author, or authors, of Cherry Picker have kept incrementally upgrading the tool since it first surfaced in 2011. The malware is now in its third generation and is noteworthy for several reasons, says Eric Merritt, a security researcher at Trustwave.

For instance, few other pieces of malware go to the extent that Cherry Picker does in cleaning up after itself, Merritt says. It is rare for malware writers to spend much effort on hiding their tracks once their task is complete. “They are fairly lazy,” in that regard he says. “But this one went to great lengths to make it look it had not infected the system.”

Merritt says it’s hard to know for sure how many merchant systems Cherry Picker might have infected because of how well the malware has evaded detection.

Cherry Picker’s technique of infecting a legitimate file on the POS system and executing from inside the compromised file suggests a high degree of sophistication on the malware author’s part as well, Merritt says. “It is an interesting piece of malware in that it combines simple techniques and extremely sophisticated techniques,” for stealing card data and remaining virtually hidden from detection for the past four or five years.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
7 Free (or Cheap) Ways to Increase Your Cybersecurity Knowledge
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19355
PUBLISHED: 2018-11-19
modules/orderfiles/ajax/upload.php in the Customer Files Upload addon 2018-08-01 for PrestaShop (1.5 through 1.7) allows remote attackers to execute arbitrary code by uploading a php file via modules/orderfiles/upload.php with auptype equal to product (for upload destinations under modules/productfi...
CVE-2008-7320
PUBLISHED: 2018-11-18
** DISPUTED ** GNOME Seahorse through 3.30 allows physically proximate attackers to read plaintext passwords by using the quickAllow dialog at an unattended workstation, if the keyring is unlocked. NOTE: this is disputed by a software maintainer because the behavior represents a design decision.
CVE-2018-19358
PUBLISHED: 2018-11-18
GNOME Keyring through 3.28.2 allows local users to retrieve login credentials via a Secret Service API call and the D-Bus interface if the keyring is unlocked, a similar issue to CVE-2008-7320. One perspective is that this occurs because available D-Bus protection mechanisms (involving the busconfig...
CVE-2018-19351
PUBLISHED: 2018-11-18
Jupyter Notebook before 5.7.1 allows XSS via an untrusted notebook because nbconvert responses are considered to have the same origin as the notebook server. In other words, nbconvert endpoints can execute JavaScript with access to the server API. In notebook/nbconvert/handlers.py, NbconvertFileHand...
CVE-2018-19352
PUBLISHED: 2018-11-18
Jupyter Notebook before 5.7.2 allows XSS via a crafted directory name because notebook/static/tree/js/notebooklist.js handles certain URLs unsafely.