I was able to get my hands on a sample of malware thanks to Brian Baskin (malware reverse-engineer extraordinaire, Ghetto Forensics creator, all around good guy, and a HUGE contributor to a lot of the details in this post). After snagging the sample, I performed some basic analysis (using the same methodology that I used for the Target malware). Interestingly enough, the malware would not fully run on my Malware Box of Evil (MBE), which currently runs Windows XP, as consistently got the exception error listed below. It is possible that this is because the malware was designed for a later version of Windows, as both the esteemed Brian Baskin and myself performed a variety of tests and determined that the malware would work on other versions of Windows, including Server 2003, Server 2008, Vista, and Windows 7. (AUTHOR NOTE: Please see "Additional Research" at the end of the post that covers more details of how the malware works on XP/WEPOS.)
I first loaded the malware into PeStudio and found, beyond the basic items of interest, the regular expression the malware uses for searching for Track1 and Track2 data. This regular expression varied slightly compared to previous versions of malware that I have seen (most likely to account for more non-US track data (shorter credit card numbers starting with only 13 digits)) but it still performs the same basic function.
|Chewbacca file info in PeStudio. Note the hashes, as they are the same as in spoolsv.exe|
|Chewbacca searching for Track1 and Track2 regular expressions. Note the hard-coded URL as well!|
Only this time, when the data is found, it is supposed to exfiltrate the data to the hard coded URL automatically via TOR, using tor.exe, which is included with the malware.
WINDOWS XP TESTING
|Windows XP spoolsv.exe startup location|
|PeStudio 8.05 file information. Hashes are the same on Chewbacca and spoolsv.exe|
The expected keylogger file "system.log" was not created (in fact no additional files were created) and there did not appear to be any attempted outbound connections. I verified this by running Noriben (created by the aforementioned Brian Baskin).
|Noriben created processes and created files of partially run Chewbacca malware|
I even allowed the MBE to connect to the interwebs (through an anonymous connection, of course) in an effort to see if an actual connection was needed and I got the same unhandled exception error.
|Unhandled exception error message on Malware Box of Evil when trying to run Chewbacca. RUUUUUrhrGUGUGHRhghghghrRURURUghGHrrrrrr!|
WINDOWS 7 TESTING
|Noriben output of Chewbacca on Windows 7|
|Windows7 spoolsv.exe startup location|
|Chewbacca is gone!|
|Attempted to connect to ekiga.net|
|system.log keylogger location and file contents|
PeStudio Update: I shared some of the strings information with Marc yesterday and he updated PeStudio so now the Track1 and Track2 data regular expressions (and other strings of interest) present in this sample are blacklisted. PeStudio also now pulls out the default icon of a possible malware sample as well, which is one of my "quick triage" tricks to try to determine if any executables on a system might be malicious. Definitely go and download PeStudio 8.06 if you haven't already!!
|PeStudio 8.06 blacklisted strings. Some (but not all) of the key ones from Chewbacca are highlighted|
Thanks to this malware, I also acquired the WEPOS and POSReady2009 operating systems to install on the MBE in order to better replicate a POS environment and watch how malware performs in those environments. It will definitely be interesting to see if more malware is created specifically to target newer operating systems as Windows XP nears the end of life (WEPOS is supposed to be supported through 2020, although Windows XP Embedded and Server 2003 Embedded are supposed to have support only through 2016 and 2018, respectively).
Based on the testing that Brian and I performed, if the environment was running Windows XP or the original Windows Embedded Point of Service (WEPOS) version 1.0 through 1.3, the malware will not fully work (delete the original chewbacca.exe file, start scanning memory for Track1 and Track2 data, etc.) until the system is rebooted. It will only create spoolsv.exe in the "%AllUsersProfile%\Start Menu\Programs\Startup" location, but the system has to be rebooted in order for the malware to create the keylogger and begin scraping memory for Track1 and Track2 data.
Brian also made an interesting comment while reviewing this piece of malware. In his long and illustrious career of reverse engineering malware samples, this is the first piece of malware he has ever personally encountered that was created using Free Pascal Compiler (that used actual Pascal) and was, quote, "definitely weird". So Chewbacca has that going for it, which is nice :)
|Angry Birds Chewbacca, Lego Chewbacca, and dog chew toy Chewbacca.|