Alina (malware)
   HOME

TheInfoList



Click Here for Items Related To - Alina (malware)
OR:
Alina (malware) on:   [Wikipedia]   [Google]   [Amazon]

Alina is a Point of Sale Malware or POS RAM Scraper that is used by cybercriminals to scrape credit card and
debit card A debit card, also known as a check card or bank card, is a payment card that can be used in place of cash to make purchases. The card usually consists of the bank's name, a card number, the cardholder's name, and an expiration date, on either ...
information from the
point of sale The point of sale (POS) or point of purchase (POP) is the time and place at which a retail transaction is completed. At the point of sale, the merchant calculates the amount owed by the customer, indicates that amount, may prepare an invoice f ...
system. It first started to scrape information in late 2012. It resembles JackPOS Malware.


Process of Alina POS RAM Scraper

Once executed, it gets installed on the user's
computer A computer is a machine that can be Computer programming, programmed to automatically Execution (computing), carry out sequences of arithmetic or logical operations (''computation''). Modern digital electronic computers can perform generic set ...
and checks for updates. If an update is found, it removes the existing Alina code and installs the latest version. Then, for new installations, it adds the
file path A path (or filepath, file path, pathname, or similar) is a text string that uniquely specifies an item in a hierarchical file system. Generally, a path is composed of directory names, special directory specifiers and optionally a filename, sepa ...
to an AutoStart runkey to maintain persistence. Finally, it adds java.exe to the %APPDATA% directory and executes it using the parameter alina= for new installations or, update=; for upgrades. Alina inspects the user's processes with the help of Windows API calls: * CreateToolhelp32Snapshot() takes a snapshot of all running processes * Process32First()/Process32Next() retrieve the track 1 and track 2 information in the process memory Alina maintains a
blacklist Blacklisting is the action of a group or authority compiling a blacklist of people, countries or other entities to be avoided or distrusted as being deemed unacceptable to those making the list; if people are on a blacklist, then they are considere ...
of processes, if there is no process information in the blacklist it uses OpenProcess() to read and process the contents in the memory dump. Once the data is scraped Alina sends it to C&C servers using an HTTP POST command that is hardcoded in binary.


See also

*
Point-of-sale malware Point-of-sale malware (POS malware) is usually a type of malicious software (malware) that is used by cybercriminals to target point of sale (POS) and payment terminals with the intent to obtain credit card and debit card information, a card's tr ...
*
Cyber security standards Information security standards (also cyber security standards) are techniques generally outlined in published materials that attempt to protect a user's or organization's cyber environment. This environment includes users themselves, networks, devi ...
*
List of cyber attack threat trends A cyberattack (or cyber attack) occurs when there is an unauthorized action against computer infrastructure that compromises the confidentiality, integrity, or availability of its content. The rising dependence on increasingly complex and inte ...


References

Carding (fraud) Cyberwarfare Windows trojans {{malware-stub