Security and compliance management service provider Trustwave has sounded the alert on what it described as a sophisticated malware tool for stealing credit and debit card data from point-of-sale systems.

The malware, dubbed “Cherry Picker,” has apparently been floating around since 2011. But it has remained largely undetected by antivirus tools and security companies because of the sophisticated techniques it uses to hide itself from sight.

Trustwave described Cherry Picker as being configurable for different purposes and using a new technique for scraping cardholder data from the memory of the POS systems it infects. Cherry Picker’s use of encryption, configuration files, command line arguments, and obfuscation have also allowed the malware to remain undetected for a long time, Trustwave said.

“The introduction of [a] way to parse memory and find [cardholder data], a sophisticated file infector, and a targeted cleaner program have allowed this malware family to go largely unnoticed in the security community,” Trustwave said in a report on the threat to be released Friday.

Attacks on vulnerable point-of-sale (POS) systems have proved to be a very effective way for criminals to steal credit and debit card data in recent years.

Many POS systems store unencrypted cardholder data in memory very briefly before the data is transmitted to the payment processor for approval. Over the years, cyber crooks have developed and perfected malware tools that are capable of searching for this data in the POS system’s memory and siphoning it out using a variety of methods.

In a report last November, security vendor Symantec identified POS malware as one of the most commonly used methods by cyber criminals to steal payment card data. The POS malware threat has been quietly brewing since at least 2005. But it is only with the massive data breaches of 2013 and 2014, which compromised over 100 million payment cards, that the full scope of the problem has become evident, Symantec said. The growing availability of relatively inexpensive, ready-to-use POS malware kits has added to the problem.

One issue with many POS systems is that payment card numbers are not encrypted within the system’s memory -- giving malicious hackers a brief window of opportunity to get at the data. 

While a lot of organizations encrypt cardholder data on the way to the payment processor and while in-transit within its own networks, they don’t do the same with memory-resident data on the POS, the Symantec report noted. Point-to-point encryption and the use of payment systems based on the Europay Mastercard Visa (EMV) smartcard standard can help mitigate this vulnerability, it added.

The author, or authors, of Cherry Picker have kept incrementally upgrading the tool since it first surfaced in 2011. The malware is now in its third generation and is noteworthy for several reasons, says Eric Merritt, a security researcher at Trustwave.

For instance, few other pieces of malware go to the extent that Cherry Picker does in cleaning up after itself, Merritt says. It is rare for malware writers to spend much effort on hiding their tracks once their task is complete. “They are fairly lazy,” in that regard he says. “But this one went to great lengths to make it look it had not infected the system.”

Merritt says it’s hard to know for sure how many merchant systems Cherry Picker might have infected because of how well the malware has evaded detection.

Cherry Picker’s technique of infecting a legitimate file on the POS system and executing from inside the compromised file suggests a high degree of sophistication on the malware author’s part as well, Merritt says. “It is an interesting piece of malware in that it combines simple techniques and extremely sophisticated techniques,” for stealing card data and remaining virtually hidden from detection for the past four or five years.