Jump to content
Nytro

Romanian Cybercriminals Launch “Decebal” POS Malware Written in VBScript

Recommended Posts

Posted

[h=1]Romanian Cybercriminals Launch “Decebal” POS Malware Written in VBScript[/h]

January 18th, 2014, 09:53 GMT · By Eduard Kovacs

esearchers from IT security firm IntelCrawler have identified a new malware, dubbed “Decebal,” that’s designed to steal information from point-of-sale (POS) systems. The threat has been written in VBScript and the functional code is less than 400 lines.

Romanian-Cybercriminals-Launch-Decebal-POS-Malware-Written-in-VBScript-418363-2.png?1390039512

Malware designed to target POS systems is becoming more and more popular, and the recent attacks aimed against Target, Neiman Marcus, and other US retailers demonstrate it.

However, the Decebal malware – whose name stems from Decebalus, the king of Dacia, the historic region that today corresponds to Romania and Moldova – shows that such threats are constantly evolving.

What’s interesting about Decebal is that it’s capable of checking to see if the computer on which it’s deployed is running any sandboxing or reverse engineering software. It’s also designed to validate payment card numbers.

“There was also found Track 2 validation software, used by bad actors to check received compromised data by issuing bank by the first 6 digits (BIN), which has some phrases and text strings in Romanian, pointing on the original roots of possible authors,” IntelCrawler noted in its report.

For instance, when an error occurs in the Track2 data validation process, the message “Esti beat?” is displayed in a pop-up. In Romanian, “Esti beat?” means “Are you drunk?” The strings “Select file” and “Validate” are also written in Romanian.

The Decebal POS malware was first released on January 3, 2014. The threat has a very compact command and control server that acts as a gate for receiving data stolen from POS machines.

“The code is pretty portable, scripting language is great advantage for easy infection to Point-of-Sale and is more flexible then binaries. This example shows that modern retailers environments can face with such threat and bad actors don't need to do lots of efforts for it,” explained Andrew Komarov, CEO of IntelCrawler.

14 hours ago, none of the antivirus engines from VirusTotal detected the threat. The sample was first checked on VirusTotal on January 12, but nothing has changed since then.

Sursa: Romanian Cybercriminals Launch “Decebal” POS Malware Written in VBScript

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...