ChewBacca malware steals data from retailers in 11 countries

News
By Caroline Donnelly
published

RSA researchers uncover global malware operation that relies on ChewBacca keystroke logger.

Open padlock symbol on a keyboard button

RSA researchers have uncovered a global malware operation targeting several dozen retailers in 11 countries that relies on a private, key-logging Trojan called ChewBacca.

The discovery was announced in a blog post late last week by Yotam Gottesman, senior security researcher at RSA Firstwatch, where he confirmed payment and personal data may have been compromised by the scam.

RSA anti-fraud researchers have been in contact with victim companies at the centre of this operation, sharing key forensics information gathered in this investigation.

"RSA researchers uncovered the server infrastructure used in a global Point-of-Sale (PoS) malware operation responsible for the electronic theft of payment car and personal data from several dozen retailers, mostly based in the US," he wrote.

"Infection activity has also been detected in 10 other countries including Russia, Canada and Australia."

The malware used to power the scheme is a Tor-based example known as ChewBacca. Its existence was first flagged in December by a Kaspersky Lab researcher and it allows key strokes to be recorded and memory scanning to take place.

The Tor-based element of the malware conceals the IP addresses of the command and control severs ChewBacca's data is sent back to.

"RSA researchers discovered that, beginning October 25, it had logged track one and two data of payment cards it had scraped from infected PoS systems," the RSA blog post continued.

"RSA anti-fraud researchers have been in contact with victim companies at the centre of this operation, sharing key forensics information gathered in this investigation."

The malware is a "simple" construct, the researchers said, that belies its ability to steal payment data, and retailers need to be on their guard against it.

"Retailers have few choices against these attackers. They can increase staffing levels and develop leading-edge capabilities to detect and stop attackers," the blog post states.

"They can encrypt or tokenise data at the point of capture and ensure that it is not in plaintext view on their networks, thereby shifting the risk and burden of protection to the card issuers and their payment processors."

Caroline Donnelly
Caroline Donnelly is the news and analysis editor of IT Pro and its sister site Cloud Pro, and covers general news, as well as the storage, security, public sector, cloud and Microsoft beats. Caroline has been a member of the IT Pro/Cloud Pro team since March 2012, and has previously worked as a reporter at several B2B publications, including UK channel magazine CRN, and as features writer for local weekly newspaper, The Slough and Windsor Observer. She studied Medical Biochemistry at the University of Leicester and completed a Postgraduate Diploma in Magazine Journalism at PMA Training in 2006.