NetWire RAT acts as keylogger, steals payment card data


According to the SecureWorks Incident Response Team (IRT), a remote access trojan (RAT) is now being used to steal credit card data.

The IRT team spotted this in September while investigating a security incident at an organisation which processes numerous credit cards on a daily basis.

The NetWireRAT not only steals credit card and debit card data, but it can also steal other sensitive business, personal and financial data such as online banking credentials, national insurance numbers, names, addresses and phone numbers.

The RAT was being used instead of memory scraping malware, which is typically found stealing card data from point-of-sale (POS) computers, such as in the case with the Target and Neiman Marcus breaches.

In many payment card data breaches, a POS systems are infected with malware that searches for specific processes in memory that are known to store card data in plain text.

The malware then copies card data from the running processes, a technique known as memory scraping, to encoded files on disk. These files are then transmitted to a criminal, often over commonly open ports 80 and 443 (HTTP and HTTPS). The criminal sells the card data or uses it for fraudulent purchases.

NetWire has a built-in keylogger that can capture inputs from peripheral devices such as USB card readers. The attack methodology is very similar to traditional POS malware. A criminal sends a phishing email with a malicious attachment to an employee working on a POS computer.

If the employee opens the attachment, malware to harvest card data is downloaded or installed. Without proper security protections in place, these infections can remain undetected for months or years.

Keyloggers expose more than just card data; credentials for online accounts and applications such as email, property management systems (PMS) and internet browsers are also at risk. Other sensitive information typed by the user, including phone numbers, addresses and birthdates can also be compromised.

Using a RAT with keylogging capabilities, a criminal could gather necessary information to commit identity theft and further compromise an organisation's network. The generic NetWire RAT variant used in this incident did not contain specific capabilities to target POS systems.

The IRT team said: “Payment card data breaches can cause significant financial and reputational damages for an organisation, and can lead to restrictions imposed by compliance bodies and loss of future business. Prevention and detection is critical to ensure that threats to customer data are prevented or detected. Traditional antivirus software and other systems that rely on low-level indicators do not effectively detect and block common and pervasive malware.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.