New Soraya malware combines best of Zeus and Dexter to target card data

Malware

by | 04 June 2014

Soraya packs a punch with form-grabbing and memory scraping functionalities.

Arbor Networks researchers recently discovered a new family of malware, codenamed Soraya, that combines memory scraping techniques found in the POS malware Dexter with form-grabbing abilities witnessed in PC Trojan virus Zeus.

Soraya has already compromised thousands of payment cards, out of which nearly 64% of compromised cards were debit cards and nearly 35% were credit cards.

The majority of these cards were issued in the US, notably Idaho, while more than 21% of cards were issued in Costa Rica and more than 11% of cards in Canada. These have the potential of further infecting home computers and point-of-sale (POS) devices.

Matt Bing and Dave Loftus, security research analysts at Arbor Networks who discovered Soraya, said that it could date back to March 2014 but was identified only in May. They were able to access payment card track data from a command-and-control server as the attacker made it temporarily available from a public location.

In a blog post, they said that use of multiple techniques in the same malware is not common but it is difficult to know how the malware is being distributed, and till now, they are not able to determine which specific businesses were affected.

"We have a general idea where some of the infections exist," Loftus said. "We have sent the compromised payment card data to the major card providers. They will likely determine the common point of purchases associated with the cards and notify the affected businesses."

Up until now, the traditional techniques for stealing data from PoS devices involved physical skimmer devices that captured track information as the card was inserted. But malware like Soraya can live on the PoS terminals themselves, enabling attackers to be less obtrusive with their operations.

Luhn Algorithm embedded in Soraya is another major issue, which has been identified. The algorithm is described as a simple technique which ensures that the 16 digit payment card number being entered is valid and not a random string of digits.

Elaborating on this, Loftus said: "A new feature of Soraya appears to be in development that enables Soraya to steal FTP credentials. Once this feature is completed, we believe Soraya will actively be sold to carders in the underground market."

Memory scraping malware like this was used as part of the Target breach and has been found in other retail attacks, as well.

Comments
Post a comment

Comments may be moderated for spam, obscenities or defamation.

Join our network

754 people like this.
0 people follow this.

Malware Intelligence

Privcy Policy

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.