Romanian Cybercriminals Launch “Decebal” POS Malware Written in VBScript


Decebal POS malware appears to be developed by Romanians

Researchers from IT security firm IntelCrawler have identified a new malware, dubbed “Decebal,” that’s designed to steal information from point-of-sale (POS) systems. The threat has been written in VBScript and the functional code is less than 400 lines.

Malware designed to target POS systems is becoming more and more popular, and the recent attacks aimed against Target, Neiman Marcus, and other US retailers demonstrate it.

However, the Decebal malware – whose name stems from Decebalus, the king of Dacia, the historic region that today corresponds to Romania and Moldova – shows that such threats are constantly evolving.

What’s interesting about Decebal is that it’s capable of checking to see if the computer on which it’s deployed is running any sandboxing or reverse engineering software. It’s also designed to validate payment card numbers.

“There was also found Track 2 validation software, used by bad actors to check received compromised data by issuing bank by the first 6 digits (BIN), which has some phrases and text strings in Romanian, pointing on the original roots of possible authors,” IntelCrawler noted in its report.

For instance, when an error occurs in the Track2 data validation process, the message “Esti beat?” is displayed in a pop-up. In Romanian, “Esti beat?” means “Are you drunk?” The strings “Select file” and “Validate” are also written in Romanian.

The Decebal POS malware was first released on January 3, 2014. The threat has a very compact command and control server that acts as a gate for receiving data stolen from POS machines.

“The code is pretty portable, scripting language is great advantage for easy infection to Point-of-Sale and is more flexible then binaries. This example shows that modern retailers environments can face with such threat and bad actors don’t need to do lots of efforts for it,” explained Andrew Komarov, CEO of IntelCrawler.

14 hours ago, none of the antivirus engines from VirusTotal detected the threat. The sample was first checked on VirusTotal on January 12, but nothing has changed since then.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s