Romanian Cybercriminals Launch “Decebal” POS Malware Written in VBScript

Userlevel 7
Badge +48
Researchers from IT security firm IntelCrawler have identified a new malware, dubbed “Decebal,” that’s designed to steal information from point-of-sale (POS) systems. The threat has been written in VBScript and the functional code is less than 400 lines.

Malware designed to target POS systems is becoming more and more popular, and the recent attacks aimed against Target, Neiman Marcus, and other US retailers demonstrate it.

However, the Decebal malware – whose name stems from Decebalus, the king of Dacia, the historic region that today corresponds to Romania and Moldova – shows that such threats are constantly evolving.

What’s interesting about Decebal is that it’s capable of checking to see if the computer on which it’s deployed is running any sandboxing or reverse engineering software. It’s also designed to validate payment card numbers.

“There was also found Track 2 validation software, used by bad actors to check received compromised data by issuing bank by the first 6 digits (BIN), which has some phrases and text strings in Romanian, pointing on the original roots of possible authors,” IntelCrawler noted in its report.

For instance, when an error occurs in the Track2 data validation process, the message “Esti beat?” is displayed in a pop-up. In Romanian, “Esti beat?” means “Are you drunk?” The strings “Select file” and “Validate” are also written in Romanian.

The Decebal POS malware was first released on January 3, 2014. The threat has a very compact command and control server that acts as a gate for receiving data stolen from POS machines.

“The code is pretty portable, scripting language is great advantage for easy infection to Point-of-Sale and is more flexible then binaries. This example shows that modern retailers environments can face with such threat and bad actors don't need to do lots of efforts for it,” explained Andrew Komarov, CEO of IntelCrawler.

14 hours ago, none of the antivirus engines from VirusTotal detected the threat. The sample was first checked on VirusTotal on January 12, but nothing has changed since then.
Source Article

1 reply

Userlevel 6
This is getting interesting..thanks Jasper_the_Rasper!  RR


    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept or continue browsing you agree to our cookie policy. Learn more about our cookies.

    Accept cookies Cookie settings