RSA researchers recently found that the ChewBacca point-of-sale (PoS) malware, which was first uncovered by Kaspersky Lab researchers in December of 2013, has been logging track 1 and 2 payment card data stolen from infected PoS systems since October 25, 2013.
Although most infections are in the U.S., infected PoS systems have also been been detected in 10 other countries including Russia, Canada and Australia.
The malware includes a keylogger and a memory scanner. "The memory scanner dumps a copy of a process’ memory and searches it using simple regular expressions for card magnetic stripe data," RSA FirstWatch senior security researcher Yotam Gottesman wrote in a blog post. "If a card number is found, it is extracted and logged by the server."
ChewBacca, which is disguised as a Windows Print Spooler service executable once installed, uses Tor to avoid network-level detection and to hide the real IP address of its command and control server.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
"The ChewBacca Trojan appears to be a simple piece of malware that, despite its lack of sophistication and defense mechanisms, succeeded in stealing payment card information from several dozen retailers around the world in a little more than two months," Gottesman wrote.