Skip to main content

Intel Brief - ChewBacca Malware

February 03, 2014

On December 17, 2013, Kaspersky Lab Expert, Marco, posted a blog that identified a new piece of malware that was utilizing Tor-based communications. While not the first piece of malware to use Tor for communications, the disclosure that the malware named “ChewBacca” was both memory scraping for credit card data and keylogging made this piece of malware unique.

Fast forward to January 30, 2014 when RSA researchers disclosed that this same piece of malware has been used in over 10 countries and has been collecting track 1 and track 2 data since October 25, 2013, from infected Point-of-Sale (POS) systems.

The malicious file identified in the Kaspersky blog notates that file ChewBacca.exe (MD5 21f8b9d9a6fa3a0cd3a3f0644636bf09) is a known PE32 executable that was compiled with Free Pascal 2.7.1 and contains Tor

The Kaspersky blog notes:

After execution, the function "P$CHEWBACCA$_$TMYAPPLICATION_$__$$_INSTALL" is called, which drops itself as "spoolsv.exe" into the "Startup folder" (e.g. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\) and requests the public IP of the victim via a publicly accessible service at (which is not related to the malware).

Tor is dropped as "tor.exe" to the user-s Temp and runs with a default listing on "localhost:9050."

Intel Brief ChewBacca Malware

At execution, the malware starts collection of key strokes and stores within a file named “system.log” within the system %temp% folder. This file is then uploaded via /sendlog.php with a hardcoded URL. As with many memory scrapers designed for credit card theft, the use of common regular expressions for the identification of data is used. The collected credit card data is then transmitted via an “Exfiltration” function to the same URL, but using /recvdata.php.

Kaspserky identifies the URL as “http://5jiXXXXXXXXXXgmb.onion” and notes that access to the page displays a login interface with a known image of Chewbacca from “A Game of Clones” (which is definitely not associated to the malware).

Additional analysis of the Chewbacca.exe file, as found at indicates that initial analysis was performed on December 17, 2013, on file:

Intel Brief ChewBacca Malware 2

Additionally, communications to IP 86[.]64[.]162[.]35 (domain identified as “ekiga[.]net”) are found. This communication is performed to request the public IP of the victim (Kaspersky notes that this IP/domain is not related to the malware).

As of December 17, 2013, Kaspersky says that the malware has not been offered in public (underground) forums.

As of January 30, 2014, VirusTotal identifies that 38 of 49 antivirus vendors now identify the ChewBacca malware. Additional information from the RSA report states that simple deletion of the files created are enough to remove the malware from the infected system.

FishNet Security recommends that organizations utilize available block/shun lists for Tor exit nodes as part of their security program as well as alert on communications to the IP address that has been used at the initial install of the malware.

Related Blogs

September 25, 2014

"Shellshock" Vulnerability in Bash Allows Unauthorized, Remote Code Execution

On September 24, a critical vulnerability - CVE-2014-6271 - was made public. This vulnerability, dubbed “Shellshock,” exposes a weakness in which cert...

See Details

January 30, 2014

Intelligence Brief: Versions of FireZilla May Be Compromised

Recently, FishNet Security’s gTIC team has discovered that versions of FileZilla FTP client (versions 3.5.3 and 3.7.3) may be compromised. Original in...

See Details

March 22, 2018

Intelligence Bulletin – MinionGhost Reemerges

At approximately 9:30am EDT on 20 March 2018, hacktivist collective, MinionGhost, announced planned cyber attacks against unspecified Asian entities. ...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

July 21, 2015

Network Security Solutions

Learn how we help protect your environment while maintaining connectivity.

See Details

October 06, 2017

Managed Security Services - Service Guide

Learn about our flexible and scalable services to improve your security capabilities.

See Details

July 21, 2015

Application Security Solutions

Learn how Optiv can help with web, email and application protection.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.