01-18-2014 01:26 PM
Researchers from IT security firm IntelCrawler have identified a new malware, dubbed “Decebal,” that’s designed to steal information from point-of-sale (POS) systems. The threat has been written in VBScript and the functional code is less than 400 lines.
Malware designed to target POS systems is becoming more and more popular, and the recent attacks aimed against Target, Neiman Marcus, and other US retailers demonstrate it.
However, the Decebal malware – whose name stems from Decebalus, the king of Dacia, the historic region that today corresponds to Romania and Moldova – shows that such threats are constantly evolving.
What’s interesting about Decebal is that it’s capable of checking to see if the computer on which it’s deployed is running any sandboxing or reverse engineering software. It’s also designed to validate payment card numbers.
“There was also found Track 2 validation software, used by bad actors to check received compromised data by issuing bank by the first 6 digits (BIN), which has some phrases and text strings in Romanian, pointing on the original roots of possible authors,” IntelCrawler noted in its report.
For instance, when an error occurs in the Track2 data validation process, the message “Esti beat?” is displayed in a pop-up. In Romanian, “Esti beat?” means “Are you drunk?” The strings “Select file” and “Validate” are also written in Romanian.
The Decebal POS malware was first released on January 3, 2014. The threat has a very compact command and control server that acts as a gate for receiving data stolen from POS machines.
“The code is pretty portable, scripting language is great advantage for easy infection to Point-of-Sale and is more flexible then binaries. This example shows that modern retailers environments can face with such threat and bad actors don't need to do lots of efforts for it,” explained Andrew Komarov, CEO of IntelCrawler.
14 hours ago, none of the antivirus engines from VirusTotal detected the threat. The sample was first checked on VirusTotal on January 12, but nothing has changed since then.