New Spark malware targeting retail systems identified

Windows XP-based retail systems at risk from yet another memory-scraping malware tool

A new strain of malware targeting retail systems, called Spark, has been identified. Spark is unrelated to the notorious Backoff malware family and can steal payment card data from compromised point-of-sale systems, according to security software vendor Trustwave.

According to Trustwave, Spark is instead a variant of the Alina malware family that first appeared in 2013. Like Backoff, which has affected an estimated 1,000 retailers in the US alone, according to the Federal Bureau of Investigation, it works by scraping card details direct from the retail system's memory.

Spark exploits a glaring hole in the PCI-DSS retail security specifications, which do not require sensitive data to be encrypted in memory on retail systems as they would in storage. Furthermore, many retail systems are based on a variation of Microsoft Windows XP, which has been highly targeted throughout its history.

The Spark malware is propagated via an AutoIt script, which then loads the malware into memory. AutoIt is a legitimate freeware BASIC-like scripting language designed for automating the Windows GUI and general scripting, according to its creators.

Over the past year or so, a number of major US retailers have been affected by memory-scraping malware based on the Backoff family. These include Home Depot, Neiman Marcus and, most high profile of all, US retail chain Target in a devastating attack that led to the departures of both its CIO and CEO. Other, similar, malware families identified include FrameworkPOS, BlackPoS and JackPOS.

Trustwave suspects a link between the Alina family, of which Spark is the latest known variant, and JackPOS given the similar technical behavioural components shared by the two malware families, such as the custom credit searching methods, which indicate a common author. "It is clear that Alina, JackPOS, and this variant all bear close resemblances to each other, but there are behavioral differences that distinguish this version from the others which I have not seen detailed elsewhere," claimed Trustwave in a blog post.

Trustwave says that it uncovered the new malware when it was investigating multiple security breaches at an automotive repair and maintenance business, according to Ryan Merritt, malware research lead at Trustwave. It is not self-propagating, meaning that attackers need to target the retailer and specific point-of-sale (POS) in some form of attack.