Soraya Malware Combines Dexter and Zeus Tactics to Steal Card Data

Abor Networks the security company recently uncovered one fresh malware group known as Soraya that works through a combination of tactics taken from the notorious Dexter as well as Zeus computer trojans with an aim for capturing data on credit and debit cards through PoS (point-of-sale) terminals it infects.

Posting information on the company blog, Abor Networks' ASERT (Abor's Security Engineering and Response Team) states that the just uncovered malicious program has by now filched numerous payment cards data.

Abor's team of experts was able in tracing one C&C system as the attackers had tentatively kept their stolen data on one location that was freely accessible. Consequently, the experts discovered most of the cards hijacked via commands taken from the command-and-control server as being provided from banks in USA (65%), Costa Rica (21%) and Canada (11%). More cards hijacked were from South Africa (0.8%), Russia (0.4%) followed with Poland, UK, Panama and Mexico (0.1%).

Explaining what Soraya does, Matthew Bing, Senior Research Engineer at Abor says that it employs one similar Dexter tactic of "memory scrapping" wherein one string helps in completing the process. Infosecurity-magazine.com published this, June 3, 2014.

To start its activity, Soraya inserts itself into different system processes in the form of a string, particularly inside explorer.exe of Windows Shell. It also retains its presence by replicating itself onto AppData, name of a directory, and calls itself servhost.exe, followed with creating a registry entry.

Soraya as well as Dexter are comparatively fresh creations among PoS malware programs. Conventional PoS malware, while stealing data, relied on physical skimmer machines that seized track details on insertion of the card. However, malicious software, which persists on point-of-sale devices themselves, facilitates low detection. Malware related to memory scrapping of the kind discussed was employed during the Target data-hack as also discovered during more retail assaults.

Online, Soraya is capable of stealing card data that's submitted on websites, a tactic which Zeus has been doing since years. By combining memory scrapping on PoS with this data theft tactic, Soraya becomes one fresh sample amongst modern malware, Bing states elsewhere that threatpost.com reported, June 3, 2014.

» SPAMfighter News - 6/13/2014