A little more than a week ago SophosLabs became aware of a resurgence of an attack against the education and hospitality industries. In at least one case the malware has shown up at a financial services company.
One thing important to note is that it has only been seen at moderate to small size organizations.
These criminals aren’t targeting Walmart. They are after organizations with less investment in defensive counter-measures.
The goal of this Trojan is to target credit card processing and point of sale (PoS) equipment and make off with all of the card details.
It installs itself as a service in Windows and the filename is typically rdasrv.exe, while the service is called rdasrv.
More recent samples have changed their name to be A#######.exe, where the # is a random number.
SHA1 checksums we have seen include:
The malware is designed to circumvent the protections provided by being PCI/DSS compliant, namely that you don’t store credit card numbers unless they are encrypted.
The malware scans through the memory of the infected host looking for track 1 and track 2 credit card data using Perl compatible regular expressions.
Track 1 and 2 data typically includes the card holder’s name, account number, expiration date, CVV code and other discretionary information.
Once the information is scraped from memory it is written to disk in a file named data.txt or currentblock.txt.
The malware does not contain a method of exfiltration for the stolen card data, but in the instances we are aware of it was installed after remote access to the affected computers was already acquired.
Sophos detects the Trojan data stealer as Troj/Trackr-Gen. Considering the targeted nature of the threat it is not widespread, but we are seeing new variants every few days.