Alina is a Point of Sale Malware or POS RAM Scraper that is used by cybercriminals to scrape credit card and debit card information from the point of sale system. It first started to scrape information in late 2012. It resembles JackPOS Malware.
Process of Alina POS RAM Scraper
Once executed, it gets installed on the user computer and check for the alina code update. Then it removes the existing alina code and installs the latest version of code. Next, it adds the file path to an Auto Start runkey to remain persistent. Adds java.exe to the %APPDATA% directory and executes the copy in %APPDATA% directory using the parameter called alina= <original_alina> as a final step of installation.
It inspects the process of the user with the help of CreateToolhelp32Snapshot and takes the snapshot of all the processes. The Process32First which retrieves the track 1 and track 2 information in the process memory. Alina maintains the blacklist of processes, if there is no process information in the blacklist it opens OpenProcess and read the memory content to run the process memory content. Once the data are scraped it sends it to C&C serves using HTTP POST that are hardcoded in binary.