Trojan-Spy.Win32.SPSniffer

Trojan-Spy.Win32.SPSniffer is a seditious Trojan, also known as the 'Chupa Cabra' malware, literally a 'goat sucker', that targets payment devices. Trojan-Spy.Win32.SPSniffer or Chupa Cabra malware is used by fraudsters to steal and forge credit card information. Chupa Cabra is a mythical beast buzzed to dwell in some regions of the Americas. A while ago it has been allegedly recognized in Puerto Rico, where it was first detected, Mexico and the United States, especially in the latter's Latin American communities. The name Chupa Cabra has also been used by Brazilian carders to entitle skimmer devices, installed on ATMs. This name is used because the Chupa Cabra will 'suck' data from the victim's credit card. The Brazilian media usually shows videos of fraudsters installing their Chupa Cabra onto an ATM. The idea of the Chupa Cabra malware is simple: In order to evade threat of getting caught red-handed with an ATM skimmer, the fraudsters are evolving and installing their malicious code on Windows computers. They are looking to block communications from PIN Padsthat are used at supermarkets, gas stations, anywhere that takes card payments.

Chupa Cabra malware was first identified in Brazil, on December 2010, as Trojan-Spy.Win32.SPSniffer and has 4 variants (A, B, C and D) was bargained between Brazilian cybercrooks for 5 thousand dollars. Trojan-Spy.Win32.SPSniffer is highly adapted and propagated to specific destinations in the US, and possibly in another places of the world. PIN pads are secured; they are armed with hardware and security features to guarantee that security keys are deleted if someone tries to damage the device. In fact, the PIN is encrypted immediately on entry using a variety of encryption schemes and symmetric keys. Most often this is a triple DES encoder, making it difficult to crack the PIN. But there's a problem: these devices are always connected to a computer via a USB or serial port which communicates with the EFT (Electronic Funds Transfer) software. Older and outdated PIN pad devices, still used in Brazil, are vulnerable presently.

The Track 1 data and the public data existing in your card's chip are not encrypted in the hardware of the old devices. That generally incorporates your card number, expiration date, service code and optional data such as the CVV – briefly, almost everything a cybercriminal needs for spending your money. Since this data isn't encrypted, it goes to the computer system in plain-text mode. Collecting this data is enough to forge your credit card. Chupa Cabra malware installs a simple USB or serial port sniffer driver, generally adjusted from commercial software, finding all the data sent between the PIN pad and the computer. The first versions of the Chupa Cabra malware also installed a DLL that controls and steal network traffic from all devices connected to any COM port. The newest versions use the TVicCommSpy driver to collect USB traffic, with the same intention. The malicious DLL seizes all keystrokes on the keyboard (keylogger). All the Track 1 data stolen is stored on a file that contains all the seized data, together with information about the affected user's machine, and transmits it to the criminal, generally via an email. To guarantee the data is forwarded to the criminals in a 'safe' way, Chupa Cabra malware has a crypto symmetric system with an interesting Unicode key name.