Intel Brief: ChewBacca Malware Utilizing Tor-Based Communications

By gTIC ·

On December 17, 2013, Kaspersky Lab Expert, Marco, posted a blog that identified a new piece of malware that was utilizing Tor-based communications. While not the first piece of malware to use Tor for communications, the disclosure that the malware named “ChewBacca” was both memory scraping for credit card data and keylogging made this piece of malware unique.

Fast forward to January 30, 2014 when RSA researchers disclosed that this same piece of malware has been used in over 10 countries and has been collecting track 1 and track 2 data since October 25, 2013, from infected Point-of-Sale (POS) systems.

The malicious file identified in the Kaspersky blog notates that file ChewBacca.exe (MD5 21f8b9d9a6fa3a0cd3a3f0644636bf09) is a known PE32 executable that was compiled with Free Pascal 2.7.1 and contains Tor 0.2.3.25.

The Kaspersky blog notes:

After execution, the function "P$CHEWBACCA$_$TMYAPPLICATION_$__$$_INSTALL" is called, which drops itself as "spoolsv.exe" into the "Startup folder" (e.g. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\) and requests the public IP of the victim via a publicly accessible service at http://ekiga.net/ip (which is not related to the malware).

Tor is dropped as "tor.exe" to the user-s Temp and runs with a default listing on "localhost:9050."

At execution, the malware starts collection of key strokes and stores within a file named “system.log” within the system %temp% folder. This file is then uploaded via /sendlog.php with a hardcoded URL. As with many memory scrapers designed for credit card theft, the use of common regular expressions for the identification of data is used. The collected credit card data is then transmitted via an “Exfiltration” function to the same URL, but using /recvdata.php.

Kaspserky identifies the URL as “http://5jiXXXXXXXXXXgmb.onion” and notes that access to the page displays a login interface with a known image of Chewbacca from “A Game of Clones” (which is definitely not associated to the malware).

Additional analysis of the Chewbacca.exe file, as found at malwr.com indicates that initial analysis was performed on December 17, 2013, on file:

Additionally, communications to IP 86[.]64[.]162[.]35 (domain identified as “ekiga[.]net”) are found. This communication is performed to request the public IP of the victim (Kaspersky notes that this IP/domain is not related to the malware).

As of December 17, 2013, Kaspersky says that the malware has not been offered in public (underground) forums.

As of January 30, 2014, VirusTotal identifies that 38 of 49 antivirus vendors now identify the ChewBacca malware. Additional information from the RSA report states that simple deletion of the files created are enough to remove the malware from the infected system.

FishNet Security recommends that organizations utilize available block/shun lists for Tor exit nodes as part of their security program as well as alert on communications to the IP address that has been used at the initial install of the malware.