Targeted attacks steal credit cards from hospitality and educational institutions

Hotel signA little more than a week ago SophosLabs became aware of a resurgence of an attack against the education and hospitality industries. In at least one case the malware has shown up at a financial services company.

One thing important to note is that it has only been seen at moderate to small size organizations.

These criminals aren’t targeting Walmart. They are after organizations with less investment in defensive counter-measures.

The goal of this Trojan is to target credit card processing and point of sale (PoS) equipment and make off with all of the card details.

It installs itself as a service in Windows and the filename is typically rdasrv.exe, while the service is called rdasrv.

More recent samples have changed their name to be A#######.exe, where the # is a random number.

SHA1 checksums we have seen include:

  • fb59188d718f7392e27c4efb520dceb8295a794f
  • 48db3a315d9e8bc0bce2c99cfde3bb9224af3dce
  • daee813c73d915c53289c817e4aadaa6b8e1fb96
  • df74d626df43247fdcd380bbc37b68f48b8c11d4
  • b8c1f7d28977e80550fcbaf2c10b222caea53be8
  • 06a0f4ed13f31a4d291040ae09d0d136d6bb46c3
  • 8126c0d1c738849b06e0fbb0db1b87fa4f630467

The malware is designed to circumvent the protections provided by being PCI/DSS compliant, namely that you don’t store credit card numbers unless they are encrypted.

Malware reading memoryThe malware scans through the memory of the infected host looking for track 1 and track 2 credit card data using Perl compatible regular expressions.

Regular expressions looking for credit card information

Track 1 and 2 data typically includes the card holder’s name, account number, expiration date, CVV code and other discretionary information.

Track 1 data found

Once the information is scraped from memory it is written to disk in a file named data.txt or currentblock.txt.

The malware does not contain a method of exfiltration for the stolen card data, but in the instances we are aware of it was installed after remote access to the affected computers was already acquired.

Sophos detects the Trojan data stealer as Troj/Trackr-Gen. Considering the targeted nature of the threat it is not widespread, but we are seeing new variants every few days.