Login
Login

Alina (malware)

{{Short description|Point of Sale Malware}}

Alina is a Point of Sale Malware or POS RAM Scraper that is used by cybercriminals to scrape credit card and debit card information from the point of sale system.{{Cite web|url=https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/alina-pos-malware-sparks-off-a-new-variant/|title=Alina POS malware "sparks" off a new variant|website=Trustwave|date=18 December 2014 }} It first started to scrape information in late 2012. It resembles JackPOS Malware.{{Cite web|url=https://www.securityweek.com/researchers-id-new-variant-alina-pos-malware|title=Researchers ID New Variant of Alina PoS Malware | SecurityWeek.Com|website=www.securityweek.com|date=18 December 2014 }}[http://community.hpe.com/t5/Security-Research/Alina-POS-Malware/ba-p/6385271#.V2qUC_l96Uk Alina POS Malware]

Process of Alina POS RAM Scraper

Once executed, it gets installed on the user's computer and checks for updates. If an update is found, it removes the existing Alina code and installs the latest version. Then, for new installations, it adds the file path to an AutoStart runkey to maintain persistence. Finally, it adds java.exe to the %APPDATA% directory and executes it using the parameter alina= for new installations or, update=; for upgrades.{{Cite web|url=http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf|title=PoS RAM Scraper Malware: Past, Present, and Future}}{{Cite web |url=http://blog.sisainfosec.com/2015/07/pos-malware-stealth-tool-to-steal.html |title=PoS RAM Scraper Malware Mechanism |access-date=2016-06-22 |archive-date=2016-08-10 |archive-url=https://web.archive.org/web/20160810211300/http://blog.sisainfosec.com/2015/07/pos-malware-stealth-tool-to-steal.html |url-status=dead }}

Alina inspects the user's processes with the help of Windows API calls:

  • CreateToolhelp32Snapshot() takes a snapshot of all running processes
  • Process32First()/Process32Next() retrieve the track 1 and track 2 information in the process memory

Alina maintains a blacklist of processes, if there is no process information in the blacklist it uses OpenProcess() to read and process the contents in the memory dump. Once the data is scraped Alina sends it to C&C servers using an HTTP POST command that is hardcoded in binary.{{Cite web|url=https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/alina-casting-a-shadow-on-pos/|title=Alina: Casting a Shadow on POS|website=Trustwave|date=8 May 2013 }}

See also

References

{{reflist}}

{{Malware}}

{{Hacking in the 2010s}}

Category:Carding (fraud)

Category:Cyberwarfare

Category:Windows trojans

{{malware-stub}}