Improved Version of POS Malware Capable of Directly Exfiltrating Data

SophosLabs experts analyze the changes made to a Trojan over the course of 15 months

Malware families designed to steal data from Point of Sale (POS) systems have become highly problematic, and experts warn that cybercriminals are continually working on improving their creations.

Sophos experts have taken another look at Troj/Trackr-Gen, a Trojan that has mainly been spotted on the computers of hospitals and educational institutions. They found that some important changes, both technical and strategical, have been made to the malware over the past 15 months.

First of all, the malware doesn’t store the stolen information on the local disk before sending it to the attacker. Instead, it has the ability to directly exfiltrate data.

Researchers believe cybercriminals have adapted this strategy because the Payment Card Industry (PCI) requires merchants to encrypt sensitive data when they store it. In addition, some data, such as CVVs, shouldn’t be stored at all once a transaction is completed.

In addition to the data exfiltration mechanism, the crooks have also started generating random five-character file names.

“For variants using hardcoded names the common use of rdasrv.exe has been extended to include filename options designed to hide in plain sight such as windowsfirewall.exe or msupdate.exe,” SophosLabs experts explained.

As far as strategy is concerned, the criminals are now targeting even smaller businesses. They’ve never targeted very large businesses, but now they’re even targeting companies such as a single car dealership from Australia.

Experts note that stealing $100 from 1 million people is just as effective as stealing $100 million from a large company, which is why the owners of small businesses should never assume they would never be targeted by cybercriminals simply because they’re not big enough.

Another thing worth mentioning is that researchers have uncovered a piece of code in the malware which read “B0tswanaRul3z.” This might indicate that the attackers are from Botswana, or that’s where most of their victims are located, or maybe that’s where they spend all their illegally earned proceeds.

Hot right now  ·  Latest news