IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

ChewBacca malware steals data from retailers in 11 countries

RSA researchers uncover global malware operation that relies on ChewBacca keystroke logger.

Open padlock symbol on a keyboard button

RSA researchers have uncovered a global malware operation targeting several dozen retailers in 11 countries that relies on a private, key-logging Trojan called ChewBacca.

The discovery was announced in a blog post late last week by Yotam Gottesman, senior security researcher at RSA Firstwatch, where he confirmed payment and personal data may have been compromised by the scam.

"RSA researchers uncovered the server infrastructure used in a global Point-of-Sale (PoS) malware operation responsible for the electronic theft of payment car and personal data from several dozen retailers, mostly based in the US," he wrote.

"Infection activity has also been detected in 10 other countries including Russia, Canada and Australia."

The malware used to power the scheme is a Tor-based example known as ChewBacca. Its existence was first flagged in December by a Kaspersky Lab researcher and it allows key strokes to be recorded and memory scanning to take place.

The Tor-based element of the malware conceals the IP addresses of the command and control severs ChewBacca's data is sent back to.  

"RSA researchers discovered that, beginning October 25, it had logged track one and two data of payment cards it had scraped from infected PoS systems," the RSA blog post continued.

"RSA anti-fraud researchers have been in contact with victim companies at the centre of this operation, sharing key forensics information gathered in this investigation."

The malware is a "simple" construct, the researchers said, that belies its ability to steal payment data, and retailers need to be on their guard against it.

"Retailers have few choices against these attackers. They can increase staffing levels and develop leading-edge capabilities to detect and stop attackers," the blog post states.

"They can encrypt or tokenise data at the point of capture and ensure that it is not in plaintext view on their networks, thereby shifting the risk and burden of protection to the card issuers and their payment processors."

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

CronRat Magecart malware uses 31st February date to remain undetected
malware

CronRat Magecart malware uses 31st February date to remain undetected

26 Nov 2021
Going contactless with shoppers in a post-COVID world
Whitepaper

Going contactless with shoppers in a post-COVID world

13 Jul 2021
The AI-powered supply chain
Whitepaper

The AI-powered supply chain

8 Jun 2021

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security
Careers & training

(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security

17 May 2022