Cherry Picker POS Malware Scraping Memory and Evading Detection

December 4, 2015 | Garrett Gross

Every holiday season, retailers become prime targets for point of sale (POS) and endpoint-based attacks due to the much higher volume of in-person and online transactions that take place. Attackers know that the high volume of transactions and need to minimize downtime leaves most IT teams in retail little time to detect unusual behavior.

Security researchers are seeing increasingly sophisticated tools used by attackers to steal cardholder data as it traverses the memory of the POS system. One such tool (or family of tools) is named “Cherry Picker” and refers to its targeted method involving scraping the memory of very specific processes that contain credit card numbers and other payment information. This conservative approach minimizes exposure and lessens the chance of behavioral based detection. Current versions are multi-threaded as well, harvesting cardholder data and exfiltrating it via FTP in tandem, significantly reducing the time it takes for the actual theft to occur.

Other evasive techniques leveraged by Cherry Picker include encryption of stolen data when transmitting to an external source, a timeout parameter to specify exactly when and how often the malware runs, and an effective file infection mechanism to ensure persistence. Recent versions have even included a cleanup function that goes to great lengths to hide the malware’s tracks and thwart any forensic research done following a breach.

Impact on you

  • When your business depends on the ability to take payment for the goods or services you offer, a breach of those payment systems could cause a temporary shutdown.
  • The longer you are down, the greater loss you’ll incur, especially when the holidays are your peak season.
  • Known breaches can also have a significant negative impact on your business’s reputation, especially when the malware could have been picked up by IDS or other detection methods.

How AlienVault Helps

AlienVault Labs continues to perform cutting edge research on threats like these, collecting large amounts of data and then analyzing it to extrapolate expert threat intelligence. The Labs team has already released IDS signatures and a correlation rule to the AlienVault Unified Security Management (USM) platform so customers can identify activity related to this exploit:

- System Compromise, Trojan infection, CherryPicker POS

For further investigation into the Cherry Picker POS malware and visit the Open Threat Exchange (OTX) to see what research members of the community have done:

Garrett Gross

About the Author: Garrett Gross

Garrett Gross has always had an insatiable appetite for technology and information security, as well as an underlying curiosity about how it all works. Garrett has over 15 years of professional experience in information technology, filling several roles: systems administration, network engineering, product marketing, technical support, and helpdesk. In his current role in field enablement, he uses his experience to help managed security service providers be successful in evangelizing and operationalizing AlienVault USM.

Read more posts from Garrett Gross ›


Watch a demo ›
Get price Free trial