Sunday, December 6, 2015

Russian UnderGroud VSkimmer Botnet Targeting E-Payment

A new botnet emerged from underground and is menacing payment world, the cyber threat dubbed vSkimmer come from Russia according revelation of McAfee security firm

The security expert Chintan Shah wrote on a blog post that during monitoring of Russian underground forum found a discussion about a Trojan for sale that can steal credit card information from Windows PC for financial transactions and credit card payments. 
vSkimmer agent is able to detect card readers on the victim’s machine and gather all the information from the Windows machines sending it to a remote control server encrypting it (Base64).

The malware collects the following information from the infected machine and sends it to the control server:
  • Machine GUID from the Registry
  • Locale info
  • Username
  • Hostname
  • OS version
The vSkimmer malware indicated as the successor of the popular Dexter, a financial malware that targeted Point-of-Sale systems to grab card data as it transmitted during sales flow.

Dexter is responsible for the loss of nearly 80,000 credit card records and data breach of payment card data of Subway restaurants in 2012.

According security researchers at McAfee vSkimemr appeared in the underground forum since February and it could be an ongoing project.

vSkimmer appears more sophisticated of Dexter despite it is easier to use, vSkimmer is an advanced tool to steal credit card data from Windows hosts.

Exactly as its predecessor Dexter, vSkimmer is completely undetectable on the compromised host. vSkimmer waits for a named USB device to be attached to the compromised machine and once detected it the malware dumps the collected data to the removable device. 

vSkimmer can also grab the Track 2 data stored on the magnetic strip of the credit cards. This track stores all the card information including the card number.

To be precise on Track 2 was stored card number, three-digit CVV code, and expiration date are stored, all necessary to qualify card in payment processes.

On credit card information grabbing the post states:
VSkimmer maintains the white listed process, which it skips while enumerating the running processes on the infected machine.Once vSkimmer finds any running process not in the white list, it runs Open Process and Read Process Memory to read the memory pages of the process and invokes the pattern-matching algorithm to match the regular expression “?[3-9]{1}[0-9]{12,19}[D=\\u0061][0-9]{10,30}\\??”)” and extract the card info read by the payment devices. This is done recursively for every process running in the infected machine and not on the white list.

VSkimmer demonstrated the great interest of cyber crime in payments sector institutions have already been attacked in the past by malicious code such as Zeus and SpyEye and this case is just “another example of how financial fraud is actively evolving and how financial Trojans were developed and passed around in the underground community.” This botnet is particularly interesting because it directly targets card-payment terminals running Windows,” Shah explained in his post, I found really interesting the fact that the offer of similar malware in the underground is increasing and their model of sale is reaching level of excellence never seen first ... we face difficult times.

No comments:

Post a Comment