Blueliv discovers the Alina variant – Joker

Joker malware is a Point of Sale malware that was developed using, as a baseline, the Alina POS source code. After tracking it for some weeks, we’ve realized that behind the malware there is a dedicated effort towards developing and improving the sample. We have got our hands on 4 different versions of the sample, and we know that there are at least 3 more versions.

What differentiates the Joker malware sample from a common Alina sample, is basically that the authors added a ton of checks to the sample in order to verify the environment where it is executed. Even though the checks aren’t too complex, there are a lot of them. It has mechanisms that allow the malware to detect if it’s being run in a virtualized environment, looking for devices or processes related to VirtualBox, to detect if it’s being debugged (isDebuggerPresent, a few SEH traps…), or if there are reversing or monitoring tools, such as OllyDBG or process explorer, installed in the system.

If each check is successful, the code continues with the execution, if one of them fails, code exits.

Luckily for us, all of these validations are made in a linear manner, meaning that the checks occur in order, one after another:

Joker validations


In the screenshot, the blue nodes are the ones performing a validation, and the red ones are calling the exit function. The last node (in green), starts the execution of the main malware process.

This allows the analyst to bypass the checks easily either by modifying the assembly code, or while debugging, jumping to the last node.

The scrapping and exfiltration mechanisms reassemble those of Alina. The malware searches the credit card information in memory, and exfiltrates it through HTTP requests to the C&C gate.

The name of the sample comes from the panel:

Joker login

The panel is actually quite simple, it uses the classic bootstrap template, and shows information about the computer where the credit card information was stolen, along with other information:

Joker panel

From the panel, the bot master can visualize the stolen data, see which bots are alive and which are down and he can also deploy new versions of Joker, being able to improve the existing bots with new features.

Joker is just one example in an ocean of new malware that is being developed and deployed at this moment. Security professionals around the world will find (if they haven’t already) a need to collaborate and share intelligence in order to fight these threats, and so, Blueliv wants to lead with example, sharing information about crime servers through our free API, which now also allows you to check if an IP is in our database of affected assets!

The sample shown in this post is a joker 2.5:


Blueliv labs

Dark Commerce

Exploring the cybercrime industry and its business models: part 1

Read free report
Demo Free Trial MSSP