Trustwave Discovers a PoS Malware on PoS Systems Namely “Cherry Picker”

Darkreading.com reported on 12th November, 2015, stating that security researchers of security firm Trustwave have alerted about a sophisticated malware tool known as "Cherry Picker" for stealing credit and debit card data from point-of-sale systems.

Researchers of Trustwave had observed some basic elements of the malware way back in 2011, but the malware has gone through three repetitions in later years since then.

In 2011, Trustwave began analyzing many strands of malicious software designed to instill processes with data of the cardholder. One of these toolsets comprises of two components: sr.exe, which is a command line interface; and searcher.dll, which got inserted into targeted processes by sr.exe.

This toolset was frequently discovered on tainted systems along with other threats, like a PoS malware created by using the Autolt scripting language, and Rdasrv that is one of the earliest PoS RAM scrapers.

Cherry Picker was found on systems infected with searcher.dll, which has managed to stay under the radar. Trustwave noted spotting three editions of the malware, each with minor improvements functionally as compared to the previous edition.

Researchers say that Cherry Picker depends on a fresh algorithm memory scraping, and it employs a file infector for persistence. It comes along with a cleaner component, which removes all impressions of the infection from the computer.

Darkreading.com reported on 12th November, 2015, quoting Trustwave as saying "The introduction of (a) way to describe memory and find (cardholder data), a sophisticated file infector and a targeted cleaner program have allowed this malware family to go mostly unnoticed in the security community".

Interestingly, Trustwave, the security firm which first publicly identified the Backoff POS malware affecting over 1,000 U.S. businesses in 2014, raised an alarm about the Cherry Picker POS Malware.

Eweek.com published news on 15th November, 2015, quoting Eric Merritt, Security Researcher of Trustwave SpiderLabs, as saying "Cherry Picker is not related to the Backoff malware family and could well be older than Backoff".

Trustwave says that Cherry Picker will run on most Microsoft Windows operating systems, and it has been tested on Windows 7 and Windows XP. It adds that most infections happen in environments using remotely administration software with weak password policies.

» SPAMfighter News - 11/19/2015