On the server side, there's a control panel where attackers can review the compromised systems and the data stolen from them. One of the server's operators was seen accessing the server from an IP address in Ukraine, Fleyder said.
According to Preuss, the .onion-domain that the malware had been using since December has been offline since Wednesday afternoon. It might have used a different server before that, which suggests that the criminal campaign evolved over time, he said.
"The ChewBacca Trojan appears to be a simple piece of malware that, despite its lack of sophistication and defense mechanisms, succeeded in stealing payment card information from several dozen retailers around the world in a little more than two months," the RSA researchers said.
Preuss agreed with that assessment, saying that from a technical point of view, the Trojan program is indeed simple and doesn't use advanced code protection or encryption methods that could impede analysis and detection.
Eighty percent of antimalware applications detect the ChewBacca malware at the moment, said Curt Wilson, a senior research analyst at Arbor Networks, a security firm that's also tracking several PoS malware campaigns.
"PoS malware doesn't need to be complicated yet, because attackers find PoS machines to be easy pickings," Wilson said. "They were able to compromise many of their targets so far, so their malware doesn't need to evolve."
Organizations don't usually run antimalware software on their PoS devices, which are seen as brittle and lack strong security controls, Wilson said. However, with all of the attention that PoS malware has been getting lately, they will become more sophisticated over time, he said.
"So far, most PoS systems have been completely unprotected," Fleyder said. "Financially motivated fraudsters are usually searching to take advantage of the low hanging fruit and right now PoS terminals are among the easiest targets for gaining valuable financial data."
This new report about the ChewBacca attack campaign comes after recent confirmations that RAM-scraping malware was found on PoS terminals at retailers Target and Neiman Marcus, leading to the compromise of over 41 million credit card details.
The number of attacks with PoS malware has been on the rise since last year. At the beginning of December, Arbor Networks and another security firm called IntelCrawler identified several attack campaigns with different variants of a PoS RAM scraping malware called Dexter.
"Retailers have a few choices against these attackers," the RSA researchers said. "They can increase staffing levels and develop leading-edge capabilities to detect and stop attackers (comprehensive monitoring and incident response), or they can encrypt or tokenize data at the point of capture and ensure that it is not in plaintext view on their networks, thereby shifting the risk and burden of protection to the card issuers and their payment processors."