JackPOS malware presented as a Java Update Scheduler

Pierluigi Paganini February 12, 2014

JackPOS was detected by security experts at IntelCrawler firm several days ago and it seemed based on code from “Alina”. Attacks on POS are on the rise.

A new strain of Point-of-Sale malware named “JackPOS” was discovered by IntelCrawler, a cyber intelligence firm from Los Angeles, confirming the growing trend of Point-of-Sales malware after the Target data breach. JackPOS was detected several days ago and it seemed based on code from “Alina”.

“The bad actors are using similar tactics and methods by gathering and memory parsing of the of credit card data once inside the merchant’s system” reported the official post published by the company.


jackpos 1


jackpos 2

The cybercriminals distributed via Drive-by attack several variants of malware masked as Java (TM) Platform SE binary which then replaced the legit Java Update Scheduler file having its embedded strings in the file description.

“Some of detected samples use APC Injection from User Space using the API function QueueUserAPC to “svchost.exe”. The malware samples are pretty fresh and were created close to the beginning of February. The build path which was detected follows to “C:\Users\ziedpirate.ziedpirate-PC\Desktop\sop\sop\Release”

jackpos 3

jackpos 4

jackpos 5

jackpos 6

jackpos 7

jackpos 8

The cybercriminals have written the loaders with AutoIt coding language because it is a very flexible scripting language used since 1999 in Windows environments. The language was used to perform simple operations like text file editing, but allows also the creation of more complex scripts that perform mass downloads with complex GUIs. AutoIt is an easy-to-learn language that allows for quick development,due this reason it was chosen by numerous malware author.

Malware authors used it to implement detection avoidance techniques, in particular, they have written the loader code to unpack additional binary malicious code and execute further instructions received from the C&C server.  IntelCrawler experts confirmed the existence of different attack vectors, crooks have used some sophisticated scanning, loading, and propagating techniques to get into merchants’ system thru external perimeters and then move to card processing areas, which were possibly not separated in compliance with PCI polices. 

Which is the extent of the infection?

IntelCrawler  analysts have found compromised machines in numerous countries, including  Brazil, Canada, France, India, Spain, Korea, Argentina and the US. In same cases the machines were infected more than 17 days ago. The IntelCrawler’s threat intelligence team released a global map of Point-of-Sales infections based on data collected during the investigation on different malware.

POS malware map

[adorate banner=”9″]

Pierluigi Paganini

(Security Affairs –  JackPOS, malware)

[adorate banner=”12″]

Credits: – Xylitol (http://www.xylibox.com) – MalwareMustDie! (http://malwaremustdie.org/About IntelCrawler IntelCrawler.com is a multi-tier intelligence aggregator, which gathers information and cyber prints from a starting big data pool of over 3, 000, 000, 000 IPv4 and over 200, 000, 000 domain names, which are scanned for analytics and dissemination to drill down to a desired result. This finite pool of cyber prints is then narrowed further by comparing it to various databases and forum intelligence gathered from the underground and networked security company contacts. The final result could be the location of a particular keyboard or a computer housing the threat.

you might also like

leave a comment