Alina

Alina, originally written in late 2012, was not publicly disclosed until February 2013 and is believed to have been written by the Dexter PoS malware author. In October 2013, reports surfaced that the source code for Alina was being sold on underground forums for $2,000 USD. This led to Alina's code and characteristics surfacing in additional variants and families such as Backoff, JackPOS, Spark, Eagle, Katrina, and most recently, Pro PoS. Once a PoS system is infected, Alina checks if its own code is up-to-date and, if not, it removes its own outdated code and proceeds to install the latest version of itself. It monitors the infected system's processes and blacklists any that are unlikely to hold payment card data. For all other processes, Alina scans memory content for Tracks 1 and 2 card data. If that data is located, Alina encrypts it and then transmits it back to one of the attacker's available C2 servers using HTTP POST. Organizations that have weak passwords for their remote access servers are particularly vulnerable to this infection.

Reporting

  • December 2015: Analysis of the latest variant of Alina, Pro PoS. (Cisco Talos Blog)
     
  • January 2015: Details on the evolution of Alina from 2012 to 2015. (Nuix Blog)

Technical Details

  • Nuix offers a detailed breakdown of Alina and a signature to detect nearly all known versions here.
     
  • Additional IOCs can be found on the Trend Micro website here

One example of the Alina POS malware network traffic. Image Source: Talos Intel