VERY IMPORTANT

While the sample is a typical memory scraper, it appears to be “hand rolled” assembly language and comes in at only 5120 bytes. The malware contains an old school exclusion list that performs extremely rapid double word comparisons rather than the slower but far more common string comparisons to identify which process to ignore, and internally validates the identified account data through an implementation of the Luhn algorithm. The malware exfiltrates the collected account data directly to an external Command and Control (C2) Server in Eastern Europe, but unusually the communications utilise “raw” TCP sockets rather than the HTTP protocol that has become the norm in POS malware. The data is encoded prior to transmission using a dword XOR routine, so IDS technology is unlikely to see raw Track data flying around a compromised network.