The Target Malware found (a followup repost from WIRED)

Image: Juanmonino/Getty

Image: Juanmonino/Getty

The malicious program used to compromise Target and other companies was part of a widespread operation using a Trojan tool known as Trojan.POSRAM, according to a new report released Thursday about an operation that investigators have dubbed Kaptoxa.

The malware is a memory-scraping tool that grabs card data directly from point-of-sale terminals and stores it on the victim’s own system for later retrieval.

The code is based on a previous malicious tool known as BlackPOS that is believed to have been developed in 2013 in Russia, though the new variant was highly customized to prevent antivirus programs from detecting it, according to iSight Partners and an internal report produced by the U.S. Secret Service and other government agencies investigating the breaches.

Security journalist Brian Krebs, who broke the story about the Target and Neiman Marcus attacks, previously reported correctly that the malware used against Target was based on BlackPOS.

According to iSight, which has seen the government report but would not release it, the attackers also used a variety of other malicious tools to penetrate networks, maintain a persistent foothold on them and extract stolen data. iSight does not identify Target or name any other victims of the Kaptoxa tool, but indicates the investigation into Kaptoxa began on December 18, three days after Target says it discovered malware on its point-of-sale systems.

The tool monitors memory address spaces used by specific programs, such as payment application programs like pos.exe and PosW32.exe that process the data embossed in the magnetic strip of credit and debit cards data. The tool grabs the data from memory because some companies transmit card data via a secured channel inside their corporate network, which would prevent the attackers from sniffing the data in transit.

The siphoned data is stored on the system, and then every seven hours the malware checks the local time on the compromised system to see if it’s between the hours of 10 a.m. and 5 p.m. If so, it attempts to send the data over a temporary NetBIOS share to an internal host inside the compromised network so the attackers can then extract the data over an FTP — file transfer protocol — connection.

“While some components of the breach operation were technically sophisticated,” iSight writes in its own report about the malware, “the operational sophistication of the compromise activity makes this case stand out. The intrusion operators displayed innovation and a high degree of skill in orchestrating the various components of the activity.”

Jayce Nichols, manager of the cybercrime analysis team at iSight, says that the individual components of the attack are not necessarily sophisticated but the overall operation is.

“The interesting thing is the way the attackers put everything together and the orchestration of the overall attack, not necessarily the sophistication of the individual components,” he said.

Kim Zetter

Kim Zetter is a senior reporter at Wired covering cybercrime, privacy, security and civil liberties.

6 thoughts on “The Target Malware found (a followup repost from WIRED)

  1. My spouse and I absolutely love your blog and find almost
    all of your post’s to be just what I’m looking for.
    Do you offer guest writers to write content for yourself?

    I wouldn’t mind publishing a post or elaborating on many
    of the subjects you write about here. Again, awesome weblog!

    Like

  2. Simply wish to say your article is as astonishing.
    The clarity in your post is simply great and i can assume you’re an expert
    on this subject. Well with your permission let me to grab your RSS feed to
    keep updated with forthcoming post. Thanks a million and please carry
    on the gratifying work.

    Like

  3. An impressive share! I have just forwarded this onto a friend who had been doing a little homework on this.
    And he in fact bought me breakfast because I found it
    for him… lol. So let me reword this…. Thanks for the meal!!
    But yeah, thanks for spending the time to discuss this subject here on your internet site.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s