Pierluigi Paganini November 13, 2015

Researchers at Trustwave have published the analysis of the Cherry Picker threat, a point-of-sale (PoS) malware that went undetected over the years.

A point-of-sale (PoS) malware that went largely undetected for the past several years has been analyzed by researchers at Trustwave.

Security experts at Trustwave have analyzed an insidious point-of-sale (PoS) malware dubbed Cherry Picker that threat has been around since at least 2011. The threat implements sophisticated evasion techniques that allowed it to remain under the radar across the years.

Cherry Picker Pos malware was detected for the first time in 2011 by experts at Trustwave, the researchers analyzed several samples and discovered that they were designed to inject processes managing cardholder data. One of the pieces of code analyzed by Trustwave consisted of two components, a command line interface (sr.exe), and the searcher.dll that is a code which is directly injected into targeted processes bysr.exe.

Cherry Picker belongs to the family of the memory scrapers and uses a file infector for persistence.

“Cherry Picker’s use of configuration files, encryption, obfuscation, and command line arguments have allowed the malware to remain under the radar of many security companies and AV’s,” Trustwave researchers said. “The introduction of new way to parse memory and find CHD, a sophisticated file infector, and a targeted cleaner program have allowed this malware family to go largely unnoticed in the security community.”

The threat includes a cleaner module that allows it to remove all traces of the infection from the system.

The latest version of the Cherry Picker PoS malware uses the a set of API called QueryWorkingSet to scrape the memory and gather card data. The card data are then written into a file that is sent to the control servers.

“Once the data is exfiltrated, the cleaning process begins. The malware developers created a targeted cleaner tool designed to restore the infected system to a clean state. The threat relies on the popular remote control software TeamViewer to overwrite and remove files, logs and registry entries.” reported SecurityWeek.

The experts noticed that the presence of Cherry Picker was always accompanied to other threats, such as AutoIt PoS malware, and the Rdasrv that is one of the earliest PoS RAM scrapers.

Trustwave researchers reported spotting three different strains of the Cherry Picker PoS malware, the different versions account for the evolution of the other.

The researchers have noticed an evolution in the mechanism for persistence, earlier versions used a registry entry, in more recent instances, it uses an updated version of sr.exe, srf.exe, which has been used to install the malware and inject a DLL into processes.

The Cherry Picker PoS, different from similar threats focuses only on the process that manage card data, this process is reported in the configuration file. If the malware doesn’t find the process to inject on the machine it exits.

Pierluigi Paganini

Security Affairs –  (Cherry Picker, PoS malware)