Alina Continues to Spread its Wings

Another day, another variant of Alina—or so it would seem. For those unfamiliar, Alina is a point of sale (PoS) malware family that dates back to late 2012.  Some of you might recall I previously investigated this malware family, and more specifically, its evolution. You can find those articles here and here.

More recently, my friend Eric Merritt spoke about the Alina ‘Spark’ variant. Today, I’d like to announce the latest Alina variant, which I’m dubbing ‘Eagle’. Eagle appears to have been around since September 2014.

The file that I’ll be discussing throughout this blog post can be found here.

In my research on this variant, I found that HP discussed it a couple months ago. While HP’s overview is excellent, I wish to expand on a couple areas it didn’t cover.


Alina was originally written in late 2012. Throughout early 2013, Alina saw a very active development period, where many new versions were created in a very short timeframe. Alina has historically performed memory scraping against Microsoft Windows PoS devices in order to steal track data. This malware family also came equipped with a command and control (C&C) component that could be used to exfiltrate data and also accept commands. Such examples of these commands included downloading and executing further malware, updating itself, and modifying Alina’s settings.

In October 2013, it was reported that Alina’s source code was being sold on underground forums for $2,000. Since then, we have several times seen characteristics of Alina in other PoS malware families. The popular Backoff and JackPOS malware families are two such examples. In addition to these new families, we’ve also encountered newer variants of Alina that presumably used the source code that was sold.

The Eagle variant shares many characteristics with the Spark variant, but makes a number of modifications to its code base.

Similar Characteristics

Similar to Spark, Eagle installs itself to the %APPDATA%\Install directory. However, in this particular case, it will name itself ‘winfax12.exe’.

Winfax.exe and ntfs.dat installed in the %APPDATA%\Install folder

The ‘ntfs.dat’ file continues to store the eight-byte unique identifier for the victim. It also applies the same technique of using the last two bytes of the victim’s volume serial ID for this unique identifier.

The Eagle variant achieves persistence using the following registry key.

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\winfax12 - %APPDATA%\Install\winfax12.exe

The name of the stored key has been updated to remain consistent with the executable name that Alina uses.

Eagle also uses named pipes, as previously seen in Spark and Alina 5.x. This particular variant uses the following pipe.

\\.\pipe\Eagle[unique victim id]

Eagle has added some names to its blacklist of processes to ignore when performing memory scraping. This both adds speed to the memory scraping process, and limits the number of false positives. The full list can be seen below.


The C&C component has remained constant for the most part, as Eagle uses the same obfuscation routine witnessed in Spark and other newer variants. Using an example outbound POST request, we can see this decryption below.

Decrypted outbound POST request from Alina Eagle variant

Unlike previous versions of Alina, the Eagle variant uses the following User-Agent.

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1 Eagle Special v12 -> 1.1

Brand New Characteristic

A notable addition to Eagle is its ability to extract VNC credentials. VNC, or Virtual Network Computing, is a remote administration system that comes in many different flavors. It’s widely used by individuals and organizations across the globe to remotely administer machines.

Eagle attempts to extract the credentials to the following VNC applications by querying the victim’s registry.

  • TightVNC
  • RealVNC
  • TigerVNC

Unfortunately for the author, he/she had a bug where the offset to the Unicode string was off by one.

Eagle querying registry strings at the wrong offset

This resulted in a number of registry queries to a series of null bytes. This of course resulted in failed registry queries, and Eagle was unable to acquire the data it was looking for.

Failed registry queries

While this particular block of code failed, another function was included to extract UltraVNC credentials from the UltraVNC.ini file. This functionality works as expected.

Should Eagle identify any VNC credentials, it will extract them by emailing a address via SMTPS using port 465. The emails are sent from a email account.


In order to help malware researchers and defenders, the following YARA signature can be used to detect almost all known versions of Alina, including Spark and Eagle. I’ve also included it on the Nuix GitHub page.

rule alina
            description = "This rule will detect a family of malware named Alina that is responsible for memory scraping and exfiltration (C&C). The malware targets track data on point of sale devices."
            author = "Josh Grunzweig"
            company = "Nuix"
            $regex1 = "(((%?[Bb])[0-9]{13,19}\\^[A-Za-z\\s]{0,26}/[A-Za-z\\s]{0,26}\\^(1[2-9])(0[1-9]|1[0-2])[0-9\\s]{3,50}\\?)[; ]{1,3}([0-9]{13,19}=(1[2-9])(0[1-9]|1[0-2])[0-9]{3,50}\\?))"
            $regex2 = "([0-9]{13,19}=(1[2-9])(0[1-9]|1[0-2])[0-9]{3,50}\\?)"
            $regex3 = "((%?[Bb])[0-9]{13,19}\\^[A-Za-z\\s]{0,26}/[A-Za-z\\s]{0,26}\\^(1[2-9])(0[1-9]|1[0-2])[0-9\\s]{3,50}\\?)"
            $user_agent1 = /Alina v\d+\.\d+/ nocase
            $user_agent2 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1 Spark v"
            $log1 = "{[!40!]}{[!4!]}{[!36!]}"
            $log2 = "{[!29!]}{[!32!]}"
            $log3 = "{[!30!]}{[!31!]}{[!4!]}"
            $log4 = "{[!2!]}{[!20!]}{[!21!]}"
            $blacklist1 = "explorer.exe"
            $blacklist2 = "chrome.exe"
            $blacklist3 = "firefox.exe"
            $blacklist4 = "iexplore.exe"
            $blacklist5 = "svchost.exe"
            $blacklist6 = "smss.exe"
            $blacklist7 = "crss.exe"
            $blacklist8 = "wininit.exe"
            $blacklist9 = "steam.exe"
            $blacklist10 = "devenv.exe"
            $blacklist11 = "thunderbird.exe"
            $blacklist12 = "skype.exe"
            $blacklist13 = "pidgin.exe"
            (any of ($regex*)) or ((all of ($blacklist*)) and (any of ($user_agent*))) or (any of ($log*))


Overall, this variant is interesting in that it has added the ability to obtain VNC credentials. Certainly, this would likely prove useful to the attackers in gaining access to other systems that use the same authentication mechanism. While the majority of the variant’s functionality is consistent with Spark, the newer compile timestamps demonstrate that Alina’s source code is still alive and well. I’m sure we’ll continue to see further variants of this family as time goes on. 

Security & Intelligence
Chief Information Security Officer
Information Security Professional
Risk and Security Manager
Posted on January 10, 2015 by Josh Grunzweig