Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/12/2015
03:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Cherry Picker POS Malware Has Remained Hidden For Four Years

Sophisticated obfuscation techniques have allowed malware to evade AV systems and security vendors for a long time, says Trustwave.

Security and compliance management service provider Trustwave has sounded the alert on what it described as a sophisticated malware tool for stealing credit and debit card data from point-of-sale systems.

The malware, dubbed “Cherry Picker,” has apparently been floating around since 2011. But it has remained largely undetected by antivirus tools and security companies because of the sophisticated techniques it uses to hide itself from sight.

Trustwave described Cherry Picker as being configurable for different purposes and using a new technique for scraping cardholder data from the memory of the POS systems it infects. Cherry Picker’s use of encryption, configuration files, command line arguments, and obfuscation have also allowed the malware to remain undetected for a long time, Trustwave said.

“The introduction of [a] way to parse memory and find [cardholder data], a sophisticated file infector, and a targeted cleaner program have allowed this malware family to go largely unnoticed in the security community,” Trustwave said in a report on the threat to be released Friday.

Attacks on vulnerable point-of-sale (POS) systems have proved to be a very effective way for criminals to steal credit and debit card data in recent years.

Many POS systems store unencrypted cardholder data in memory very briefly before the data is transmitted to the payment processor for approval. Over the years, cyber crooks have developed and perfected malware tools that are capable of searching for this data in the POS system’s memory and siphoning it out using a variety of methods.

In a report last November, security vendor Symantec identified POS malware as one of the most commonly used methods by cyber criminals to steal payment card data. The POS malware threat has been quietly brewing since at least 2005. But it is only with the massive data breaches of 2013 and 2014, which compromised over 100 million payment cards, that the full scope of the problem has become evident, Symantec said. The growing availability of relatively inexpensive, ready-to-use POS malware kits has added to the problem.

One issue with many POS systems is that payment card numbers are not encrypted within the system’s memory -- giving malicious hackers a brief window of opportunity to get at the data. 

While a lot of organizations encrypt cardholder data on the way to the payment processor and while in-transit within its own networks, they don’t do the same with memory-resident data on the POS, the Symantec report noted. Point-to-point encryption and the use of payment systems based on the Europay Mastercard Visa (EMV) smartcard standard can help mitigate this vulnerability, it added.

The author, or authors, of Cherry Picker have kept incrementally upgrading the tool since it first surfaced in 2011. The malware is now in its third generation and is noteworthy for several reasons, says Eric Merritt, a security researcher at Trustwave.

For instance, few other pieces of malware go to the extent that Cherry Picker does in cleaning up after itself, Merritt says. It is rare for malware writers to spend much effort on hiding their tracks once their task is complete. “They are fairly lazy,” in that regard he says. “But this one went to great lengths to make it look it had not infected the system.”

Merritt says it’s hard to know for sure how many merchant systems Cherry Picker might have infected because of how well the malware has evaded detection.

Cherry Picker’s technique of infecting a legitimate file on the POS system and executing from inside the compromised file suggests a high degree of sophistication on the malware author’s part as well, Merritt says. “It is an interesting piece of malware in that it combines simple techniques and extremely sophisticated techniques,” for stealing card data and remaining virtually hidden from detection for the past four or five years.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23396
PUBLISHED: 2021-06-17
All versions of package lutils are vulnerable to Prototype Pollution via the main (merge) function.
CVE-2021-32681
PUBLISHED: 2021-06-17
Wagtail is an open source content management system built on Django. A cross-site scripting vulnerability exists in versions 2.13-2.13.1, versions 2.12-2.12.4, and versions prior to 2.11.8. When the `{% include_block %}` template tag is used to output the value of a plain-text StreamField block (`Ch...
CVE-2013-20002
PUBLISHED: 2021-06-17
Elemin allows remote attackers to upload and execute arbitrary PHP code via the Themify framework (before 1.2.2) wp-content/themes/elemin/themify/themify-ajax.php file.
CVE-2020-19202
PUBLISHED: 2021-06-17
An authenticated Stored XSS (Cross-site Scripting) exists in the "captive.cgi" Captive Portal via the "Title of Login Page" text box or "TITLE" parameter in IPFire 2.21 (x86_64) - Core Update 130. It allows an authenticated WebGUI user with privileges for the affected p...
CVE-2020-35373
PUBLISHED: 2021-06-17
In Fiyo CMS 2.0.6.1, the 'tag' parameter results in an unauthenticated XSS attack.