Researchers have unearthed malware that recently infected point-of-sale terminals at several dozen retailers in the US and other countries and successfully captured customers' payment card data.

"ChewBacca," as the crimeware is dubbed, scrapes large chunks of computer memory from infected terminals and dumps them to a file, a researcher from RSA reported in a blog post published Thursday. It then uses regular expressions and other programming techniques to extract data that was copied from credit and debit cards. ChewBacca also captures sensitive data using a generic keylogger.

"The ChewBacca trojan appears to be a simple piece of malware that, despite its lack of sophistication and defense mechanisms, succeeded in stealing payment card information from several dozen retailers around the world in a little more than two months," Yotam Gottesman, a senior security researcher on RSA's FirstWatch team, wrote. Researchers found that beginning in late October, ChewBacca had logged track 1 and 2 data of payment cards scanned on infected terminals. Most of the affected retailers were located in the US, although some were in other countries, including Russia, Canada, and Australia.

Gottesman was careful to say that neither ChewBacca nor memory-scraping point-of-sale malware in general is new. Indeed, researchers from Moscow-based Kaspersky Lab performed an autopsy of ChewBacca in December. The inner workings of the payment-card-slurping Dexter and its use in real-world breaches are also already well known. The recent security breach of the internal network of retailer Target, which led to the compromise of 40 million payment cards, has renewed interest in such malware. There was nothing in the report indicating that ChewBacca played any role in the attack on Target.

RSA researchers were able to infiltrate the command and control server that terminals infected by ChewBacca reported to. The communication is handled through the TOR anonymity network, which made it impossible to detect the real IP address of the server host. The encryption performed by the TOR-based client may also have helped the mass theft of data remain undetected by network security devices. Interestingly, an administrator logging in to the ChewBacca control server was briefly seen using an IP address based in an eastern European country before disappearing behind Tor.

"The server side control panel allows the botmaster easy access to manage the botnet and review the compromised data," Gottesman wrote. "A 'reports' screen lists information about the compromised machines and the data captured from each of them. Data is presented in either parsed form or in raw text (as it was grabbed from the machine)."

RSA has already reported its findings to law enforcement agencies. It's unclear exactly how ChewBacca got installed on infected machines.