 |
สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์ Electronic Transactions Development Agency |
|
สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์ Electronic Transactions Development Agency |
Tool: ChewBacca| Names | ChewBacca | |
| Category | Malware | |
| Type | POS malware, Keylogger, Credential stealer | |
| Description | (Trend Micro) ChewBacca is a PoS RAM scraper family, first discovered at the end of 2013, which uses the Tor network to exfiltrate stolen data. When first executed, ChewBacca copies itself to %USERPROFILE%\START MENU\Programs\Startup\spoolsv.exe and adds itself to an Auto Start runkey to remain persistent. It is self-contained and installs obfsproxy v0.2.3.25—a Tor proxy application—in %TEMP%. It then hooks WH_KEYBOARD_LL, which monitors keyboard input events. This allows ChewBacca to capture all keyboard events, which are then logged to %TEMP%\system.log. | |
| Information | <https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf> <https://www.securelist.com/en/blog/208214185/ChewBacca_a_new_episode_of_Tor_based_Malware> <https://threatpost.com/chewbacca-point-of-sale-malware-campaign-found-in-10-countries/103985/> <https://threatpost.com/points-of-sale-poorly-secured-facing-sophisticated-attacks/106027/> <http://vinsula.com/2014/03/01/chewbacca-tor-based-pos-malware/> | |
| Malpedia | <https://malpedia.caad.fkie.fraunhofer.de/details/win.chewbacca> | |
Last change to this tool card: 25 May 2020
Download this tool card in JSON format
| Changed | Name | Country | Observed | ||
Unknown groups | |||||
 | _[ Interesting malware not linked to an actor yet ]_ | ||||
1 group listed (0 APT, 0 other, 1 unknown)
|
Digital Service Security Center Follow us on
|
Report incidents |
|
 |
+66 (0)2-123-1227 | |
 |
[email protected] | |