Targeted attacks steal credit cards from hospitality and educational institutions

Filed Under: Data loss, Featured, Malware

Hotel signA little more than a week ago SophosLabs became aware of a resurgence of an attack against the education and hospitality industries. In at least one case the malware has shown up at a financial services company.

One thing important to note is that it has only been seen at moderate to small size organizations.

These criminals aren't targeting Walmart. They are after organizations with less investment in defensive counter-measures.

The goal of this Trojan is to target credit card processing and point of sale (PoS) equipment and make off with all of the card details.

It installs itself as a service in Windows and the filename is typically rdasrv.exe, while the service is called rdasrv.

More recent samples have changed their name to be A#######.exe, where the # is a random number.

SHA1 checksums we have seen include:

  • fb59188d718f7392e27c4efb520dceb8295a794f
  • 48db3a315d9e8bc0bce2c99cfde3bb9224af3dce
  • daee813c73d915c53289c817e4aadaa6b8e1fb96
  • df74d626df43247fdcd380bbc37b68f48b8c11d4
  • b8c1f7d28977e80550fcbaf2c10b222caea53be8
  • 06a0f4ed13f31a4d291040ae09d0d136d6bb46c3
  • 8126c0d1c738849b06e0fbb0db1b87fa4f630467

The malware is designed to circumvent the protections provided by being PCI/DSS compliant, namely that you don't store credit card numbers unless they are encrypted.

Malware reading memoryThe malware scans through the memory of the infected host looking for track 1 and track 2 credit card data using Perl compatible regular expressions.

Regular expressions looking for credit card information

Track 1 and 2 data typically includes the card holder's name, account number, expiration date, CVV code and other discretionary information.

Track 1 data found

Once the information is scraped from memory it is written to disk in a file named data.txt or currentblock.txt.

The malware does not contain a method of exfiltration for the stolen card data, but in the instances we are aware of it was installed after remote access to the affected computers was already acquired.

Sophos detects the Trojan data stealer as Troj/Trackr-Gen. Considering the targeted nature of the threat it is not widespread, but we are seeing new variants every few days.

, , , , ,

You might like

One Response to Targeted attacks steal credit cards from hospitality and educational institutions

  1. Anna · 1370 days ago

    Are there any areas of the country or particular sites that have been impacted? Always watch my own monthly statements, but it's always good to have a bit of a heads up.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on as Chester, Chester Wisniewski on Google Plus or send him an email at