A digital-activity data analytics firm called IntelCrawler, Inc. claims to have identified the author of the BlackPOS malware used in attacks against Target and Neiman Marcus, and spotted similar attacks that are still in progress against six other retailers.
Andrey Komarov, CEO of the Los Angeles-based IntelCrawler, told Reuters Jan. 17 that his company had spotted the six ongoing attacks while analyzing Web traffic in search of the specific entry points and origin of the malware infection behind the Target data breach, which allowed hackers to steak magnetic card-strip data on 40 million debit- and credit cards and demographic data on 70 million additional customers.
The U.S. Department of Homeland Security announced Jan. 16 that the private security firm iSIGHT Partners had helped identify the malware as being of Russian origin, and that it was a derivative version of the BlackPOS malware, which was discovered in the wild early in 2013 and immediately identified by several IT security firms as a major risk for retailers using PC-based point-of-sales sysems.
DHS also announced that the same malware had been used in breaches at several other retailers, though it didn’t name the companies or offer any other details.
According to Komarov, BlackPOS was developed by a 17-year-old Russian who goes by the username Ree4 and lives in St. Petersburg.
Ree4 probably did not participate in the attack on Target, but did sell the malware to the actual attackers, according to Komarov, who refused to identify the source of his information other than to say he had been monitoring forums on which he said Ree4 sells malware.
According to the timeline assembled by IntelCrawler, BlackPOS was originally named Kaptoxa (Russian slang for potato, according to Komarov), but was renamed DUMP MEMORY GRABBER by Ree4 when it was first posted for sale. A character string with the name BlackPOS was found to be part of the traffic between the malware client and the command-and-control (C&C) servers hackers used to direct it.
Ree4 sold more than 40 builds of BlackPOS, mostly to buyers in Eastern Europe, according to the IntelCrawler analysis, which names several alleged credit-card-number sales sites among the buyers.
In a series of chat clips Komarov said are exchanges between buyer and seller, Ree4 tells a potential customer that the price for the software is US$2,000 and that the malware grabs credit-card numbers from system memory as they’re scanned, dumps them into a file called time.txt that is sent back to the controller. Ree4 also said the app works only on standalone point-of-sale terminals with a separate monitor that also runs Windows, but not on Verifone systems, which can be attached to PCs but secure credit-card data before it can be scraped by BlackPOS.
IntelCrawler also posted several email addresses, an ICQ ID and Skype address for Ree4 as well as a name and photo, though neither the name nor photo could be confirmed.
Data from server logs captured by IntelCrawler indicate that the first BlackPOS infections were in Australia and Canada, followed by the U.S. A server owned by Neiman Marcus appears to have been infected in mid-July, months before the first indications of trouble from either Neiman Marcus or Target.
An posted by forensic security firm Group-1B is from March 2013, when the malware was first discovered.
Then called DUMP MEMORY GRABBER by Ree, the app was written in C++ as a monolithic file with no external libraries. It runs on any version of 32- or 64-bit Windows and uses a module called mmon.exe to scan RAM for credit-card numbers.
The Group-1B rundown shows clips of an instructional video showing the malware’s administrative screen and screenshot dated March 23, 2013, showing information from compromised credit cards.
The analysis said branches of some major U.S. banks had been compromised, including Chase in Newark, N.J. and Deleware, Capital One in Richmond, Va. a South Dakota Citibank, and Nordstrom FSB Debit in Scottsdale, Ariz.
Even the earliest versions of BlackPOS are based on earlier versions of malware that were being sold and modified on cybercrime forums since at least 2005 and possibly as early as 2003, according to Shane Shook of security firm Cylance, Inc., who was quoted in the Reuters story.
Though the core code of the malware isn’t new, the newest version used a number of new tactics to get around network controls and forensic malware identifers as well as to hide its data transfers and executable code, according to iSIGHT’s report to DHS, according to a Jan. 17 story in the Sydney Morning Herald.
Its most effective trick is to send out stolen information and then delete all the record files on the infected system, making it harder to detect.
A report from Seculert found that the malware ran in two stages. First it infected Target’s PoS systems and recorded credit-card numbers and customer information for six days, then began transmitting stolen data through a second infected Target server to an FTP server outside Target’s network.
The attack sequence looked like this, according to Seculert:
“Further analysis of the attack has revealed the following: On December 2, the malware began transmitting payloads of stolen data to a FTP server of what appears to be a hijacked website. These transmissions occurred several times a day over a 2 week period. Also on December 2, the cyber criminals behind the attack used a virtual private server (VPS) located in Russia to download the stolen data from the FTP. They continued to download the data over 2 weeks for a total of 11 GBS of stolen sensitive customer information. While none of this data remains on the FTP server today, analysis of publicly available access logs indicates that Target was the only retailer affected. So far there is no indication of any relationship to the Neiman Marcus attack.”