Skip to content ↓ | Skip to navigation ↓

Security researchers have detected a new strain of malware which incorporates powerful features borrowed from the Zeus and Dexter Trojans to target payment card data by infecting retail point-of-sale (PoS) terminals.

“Dubbed Soraya, meaning ‘rich,’ this malware uses memory scraping techniques similar to those found in Dexter to target point-of-sale terminals. Soraya also intercepts form data sent from web browsers, similar to the Zeus family of malware,” wrote Arbor Networks’ Matt Bing and Dave Loftus. “Neither of these two techniques are new, but we have not seen them used together in the same piece of malware.”

Detailed analysis of Soraya lead the researchers to conclude that “thousands of payment cards have been compromised,” as they were able to extract track data from one command and control server (C&C) after the malware’s operators had temporarily placed some payment card data in a location that was publicly accessible.

“Our analysis revealed that 65.16% of the payment cards compromised were issued by financial institutions located in the United States. Costa Rican financial institutions were also deeply affected, having issued 21.45% of cards that were compromised,” the researchers said.

“Additionally, we were able to determine the type of many cards compromised by Soraya. Debit cards were the most compromised, representing 63.934% of the track 1 data obtained. Credit cards consisted of 34.153%. We were unable to determine the type of cards for 1.913%.”

Further examining the nature and functionality of the malware’s code leads the team to believe the developers relied heavily on design implementations found in both Zeus and Dexter, including how it intercepts data and performs memory scraping.

“Soraya has clearly taken inspiration from the Dexter and the Zeus families. The ‘split brain’ functionality of both memory scraping and form grabbing is Soraya’s most unique trait. In past campaigns, memory scrapers have been uniquely targeted at point-of-sale devices and form grabbers have been uniquely targeted at online bank users.”

Read More Here…