Point-of-Sale Malware ‘ChewBacca’ Utilizes Tor to Steal Credit Card Data Across 11 Countries

The recent surge in cybercrime has brought Point of Sale (POS) systems into the crosshairs of attackers, particularly highlighted by significant data breaches at major U.S. retailers including Target and Neiman Marcus. These incidents exposed the sensitive financial information of over 110 million and 1.1 million customers, respectively, underscoring the vulnerability of POS systems to sophisticated cyber threats.

Research from various cybersecurity firms indicates that malware threats like BlackPOS are primarily responsible for these breaches. However, cybersecurity experts warn that malware creators are evolving their tactics, designing more advanced Trojans to compromise POS systems. One such threat is the recently identified ChewBacca Trojan, which initially emerged as a banking malware but has since adapted to target POS transactions, escalated in sophistication and stealth.

In December, researchers at Kaspersky Lab first identified ChewBacca, initially categorized as a financial Trojan. However, investigations by RSA have revealed its capability to extract credit card information directly from POS systems. Operating across 11 countries, this Trojan utilizes the anonymity provided by the Tor network to communicate with its command-and-control (C&C) servers, effectively masking the identity of the attackers and the systems being targeted.

ChewBacca executes its data theft through dual mechanisms: a generic keylogger that records keystrokes and a memory scanner that extracts credit card details directly from the system’s memory. Since its inception, this malware has been actively harvesting track 1 and track 2 data from payment cards. Its presence has been noted predominantly in the U.S. and extended to regions including Russia, Canada, and Australia, according to RSA’s analysis.

Installation of ChewBacca occurs in a manner designed for persistence. Upon execution, it replicates itself as “spoolsv.exe” and embeds this copy in the Windows Startup folder, ensuring that the Trojan activates upon system login. Following this, the keylogger component generates a log file named “system.log” in the system’s temp folder, capturing keystrokes and window focus changes that provide critical insights into user activity and data inputs.

While neither RSA nor Kaspersky has disclosed the specifics of how ChewBacca spreads, its detection has prompted concerns among regulatory bodies and government agencies. The RSA has provided the FBI with pertinent data related to ChewBacca’s operations, including the location of a C&C server utilized by the hackers. Cybersecurity experts are urging retailers to bolster their defenses by implementing comprehensive monitoring systems, incident response strategies, as well as encrypting or tokenizing data at the point of entry to mitigate risks effectively. This proactive approach aims to prevent sensitive information from being displayed in clear text on networks, subsequently shifting the burden of protection to card issuers and payment processors.