14 DAY TRIAL // Since 2011, a PoS (Point of Sale) malware family has been infecting retailers and silently stealing credit card data without being detected by antivirus and security vendors.
Trustwave's SpiderLabs team named this new malware "Cherry Picker" after a term used in basketball for players that don't play defense and only wait in the opponent's court for a pass.
Just like in basketball, this malware only targets specific PoS device processes, known to contain valuable data.
According to Trustwave's research, it appears that the malware was created and first deployed back in 2011, but its simple, yet sophisticated method of operation has allowed it to evade earlier detection.
After four years of gathering details about the way the malware evolved and worked, Trustwave claims to have enough details on this threat to be able to stop it from infecting PoS devices and endpoints.
Cherry Picker uses TeamViewer to clean up after itself
Cherry Picker's MO relies on spreading to PoS devices where, using a special executable, it injects a DLL into target processes. Additionally, a custom memory scraping algorithm is used to locate and steal data from infected devices, sending all information to a remote C&C server.
Once data has been extracted from target systems, Cherry Picker, unlike other malware, starts cleaning up after itself. The malware uses a local instance of TeamViewer to remove any trace it may have left on the system and delete itself.
Because of this strategy of continually cleaning up after itself, usage of encryption, code obfuscation, and command-line based tools, Cherry Picker has managed to avoid detection all these years.
"The introduction of a new way to parse memory and find CHD, a sophisticated file infector, and a targeted cleaner program have allowed this malware family to remain under the radar of many security and AV companies," says Eric Merritt from Trustwave. "Hopefully this post will raise awareness and drive further discussion of this malware family so that customers will be protected from this threat."