Soraya Malware Packs Form Grabbing, Memory Scraping Functionality

Malware capable of infecting point-of-sale devices once was a novelty, but it’s quickly becoming more common. Researchers at Arbor Networks have unearthed a new strain of PoS malware called Soraya that can scrape memory and has the ability to intercept information sent from Web forms, a specialty of the Zeus malware family.

Soraya also has some similarities to the older Dexter malware, which infects PoS systems and has memory scraping functionality, as well. Like Dexter, Soraya has the ability to steal payment card information from memory and then sends that data off to a remote C2 server. Attackers typically use that data to clone credit cards and run up fraudulent charges on victims’ accounts.

Researchers at Arbor Networks recently performed an analysis of the new Soraya malware and its infrastructure and discovered that the crew behind it already has compromised thousands of payment card numbers, more than 65 percent of which are from the United States.

More than 65 percent of stolen cards are from the United States.

The next largest swath of affected cards were issued in Costa Rica.

“One thread on the system is responsible for scraping memory for credit card data. It does this by creating the mutex POSMainMutex to ensure it is the only thread operating. Every 5 seconds, the thread will iterate through the list of processes with Process32Next(), ignoring system processes with names shown in Figure 1. It will check memory regions for each process with VirtualQueryEx(), ignoring those with the PAGE_NOACCESS or PAGE_GUARD values set. Valid memory regions are copied with ReadProcessMemory() and examined for payment card data. The Dexter malware family uses a similar technique,” Matthew Bing of Arbor Networks wrote in a detailed analysis of the malware.

“Soraya will scan memory for patterns matching valid payment card data. It does not use regular expresssions, but matches the format code ‘B’, patterns of digit strings, and the standard “^” separator as defined in ISO/IEC 7813. One unique aspect of Soraya is that is uses the Luhn algorithm to identify valid credit and debit card numbers, a new technique for memory scraping point-of-sale malware. The Luhn algorithm leverages a simple checksum over credit card numbers to ensure that they are valid. Track 1 and track 2 data are packaged and sent to the command and control (C2) site using the protocol described below as a ‘mode 5’ message.”

The Soraya malware has several different modes, and mode 5 instructs the malware to send captured Track 1 and Track 2 data back to the C2 server.

Malware such as Soraya and Dexter that can steal data from memory are a relatively new development in the PoS malware world. Traditional techniques for stealing data from PoS devices involved physical skimmer devices that captured track information as the card was inserted. But malware that can live on the PoS terminals themselves enables attackers to be less obtrusive with their operations. Memory scraping malware in this vein was used as part of the Target breach and has been found in other retail attacks, as well.

On the Web side, Soraya can grab payment card data from forms as they’re submitted to sites, something that the Zeus malware family has perfected over the years. The combination of the PoS memory scraping functionality and the form-grabbing feature makes Soraya something new on the malware landscape, Bing said.

“Soraya has clearly taken inspiration from the Dexter and the Zeus families. The ‘split brain’ functionality of both memory scraping and form grabbing is Soraya’s most unique trait. In past campaigns, memory scrapers have been uniquely targeted at point-of-sale devices and form grabbers have been uniquely targeted at online bank users,” he said.

Suggested articles