Point-of-sale malware creators still in business with Spark, an Alina spinoff

Spark is installed by a script written in AutoIt and scrapes card data from the memory of POS terminals

A malware program dubbed Spark that steals payment card data from compromised point-of-sale (POS) systems is likely a modification of an older Trojan called Alina, and highlights a continuing, lucrative business for cybercriminals.

Spark steals card data from a compromised system's RAM (random access memory) when it's being processed by specialized software running on the machine. Similar memory scraping malware was behind large data breaches at numerous retailers over the past two years, including Target, the Home Depot and Neiman Marcus.

Spark gets installed on a system through an AutoIt script that was previously converted into an executable file, according to researchers from security firm Trustwave.

AutoIt is a scripting language for automating Windows graphical user interface interactions.

This distribution method is similar to the one used by another POS malware program called JackPOS, which is why some antivirus vendors detect Spark as JackPOS.

The use of loaders written in scripting languages like AutoIt, Python or Perl to install malware is not new and is a fairly unsophisticated technique. These scripts are converted into executable files that also embed the interpreter needed to execute them on the target system, making their size quite large.

"In this case, however, the script has a binary in a variable that is loaded into dynamic memory and fixes up all the addresses required for execution," the Trustwave researchers said. "This is a much more advanced technique and is reusable with different embedded binaries."

Spark has much more in common with Alina, a family of POS malware that dates back to 2012, than with JackPOS, the Trustwave researchers said. This includes the method used to track infected systems, a black list of system processes that are not being monitored because they're unlikely to handle card data in memory and the method used to obfuscate communication with the command-and-control servers where stolen data is sent.

Previous Alina variants used several legitimate-sounding executable file names, while JackPOS almost exclusively attempted to masquerade as Java or a Java-related utility. Spark, by comparison, runs as a file called hkcmd.exe that is copied in the %APPDATA%\Install\ folder.

"There have been rumors and conjecture about Alina source code being sold off as well as JackPOS being a successor to the Alina code base," the Trustwave researchers said in a blog post Thursday. "The Spark variant shows that someone has been updating the Alina source code recently."

Spark first appeared in late 2013, but was seen active in the wild as recent as a month ago, the Trustwave researchers said.

Infecting POS terminals with malware remains a lucrative business for cybercriminals with new malicious programs that target such systems being found every few months. The most common attack vector against POS devices are stolen or weak remote administration credentials that can be easily discovered using brute force methods.

Some new POS terminals protect card data from malware by encrypting it the moment a customer's card is swiped. However, replacing existing POS systems with newer models that support point-to-point encryption would be costly for many retailers, which is why these attacks are not likely to disappear anytime soon.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags intrusiontrustwavesecuritydata breachmalwarefraud

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?