The malicious program used to compromise Target and other companies was part of a widespread operation using a Trojan tool known as Trojan.POSRAM, according to a new report released Thursday about an operation that investigators have dubbed Kaptoxa.
The malware is a memory-scraping tool that grabs card data directly from point-of-sale terminals and stores it on the victim’s own system for later retrieval.
The code is based on a previous malicious tool known as BlackPOS that is believed to have been developed in 2013 in Russia, though the new variant was highly customized to prevent antivirus programs from detecting it, according to iSight Partners and an internal report produced by the U.S. Secret Service and other government agencies investigating the breaches.
Security journalist Brian Krebs, who broke the story about the Target and Neiman Marcus attacks, previously reported correctly that the malware used against Target was based on BlackPOS.
According to iSight, which has seen the government report but would not release it, the attackers also used a variety of other malicious tools to penetrate networks, maintain a persistent foothold on them and extract stolen data. iSight does not identify Target or name any other victims of the Kaptoxa tool, but indicates the investigation into Kaptoxa began on December 18, three days after Target says it discovered malware on its point-of-sale systems.
The tool monitors memory address spaces used by specific programs, such as payment application programs like pos.exe and PosW32.exe that process the data embossed in the magnetic strip of credit and debit cards data. The tool grabs the data from memory because some companies transmit card data via a secured channel inside their corporate network, which would prevent the attackers from sniffing the data in transit.
The siphoned data is stored on the system, and then every seven hours the malware checks the local time on the compromised system to see if it’s between the hours of 10 a.m. and 5 p.m. If so, it attempts to send the data over a temporary NetBIOS share to an internal host inside the compromised network so the attackers can then extract the data over an FTP — file transfer protocol — connection.
“While some components of the breach operation were technically sophisticated,” iSight writes in its own report about the malware, “the operational sophistication of the compromise activity makes this case stand out. The intrusion operators displayed innovation and a high degree of skill in orchestrating the various components of the activity.”
Jayce Nichols, manager of the cybercrime analysis team at iSight, says that the individual components of the attack are not necessarily sophisticated but the overall operation is.
“The interesting thing is the way the attackers put everything together and the orchestration of the overall attack, not necessarily the sophistication of the individual components,” he said.