Researcher Disputes Report BlackPOS Used in Home Depot, Target Attacks

A code analysis reveals the malware were not from the same family and were probably written by different people

malware keyboard skull and crossbones

A security researcher has found that the malware used in the Home Depot and Target breaches are unrelated and cannot be used as an indicator that the same group is behind the attacks.

An analysis of the malware code revealed no similarities in architecture or technique that would show the software is even from the same family, Josh Grunzweig, principal security consultant for enterprise search company Nuix, said Friday.

"With coding, there's a lot of different ways to essentially reach the same goal," Grunzweig said. "When you look at the two samples, pretty much every single decision was in the exact opposite when it came to approach."

Grunzweig's analysis contradicts a KrebsOnSecurity report this week that variants of the BlackPOS malware were used in both attacks. Brian Krebs, a former Washington Post reporter, writes the blog.

Late last month, security vendor Trend Micro reported that a BlackPOS variant was being used to attack retailers, such as Target, but did not say the same malware was used against Home Depot.

In a Sept. 9 post, Trend Micro acknowledged that "speculation suggests" the BlackPOS variant it found was used against Home Depot, because the malware discovered in the retailer's systems had very similar behavior.

"Even though BlackPOS ver2 has an entirely different code compared to the BlackPOS which compromised Target, it duplicates the data exfiltration technique used by the Target BlackPOS," Trend Micro said. "It is an improved clone of the original, which is why we decided to call this BlackPOS ver2."

BlackPOS was designed by a Russian teenager to steal credit- and debit-card data from retailers' electronic payment systems. The malware source code has been available since 2012.

Hackers typically stay within the same family of malware in launching attacks. However, it is also possible for the same group to use different malware.

Therefore, malware similarities, or dissimilarities, are not conclusive evidence that attackers are from the same group or multiple groups.

Krebs also reported that payment card data stolen from Home Depot was for sale on the same underground marketplace where Target data was sold.

Grunzweig's analysis focused only on the malware and did not draw any conclusions on whether the attackers behind the breaches were the same. But like other researchers, his instincts told him the attacks were somehow related.

"I think the groups probably are the same, but I'm just talking about the malware," he said. "I can only speculate on the groups behind them."

In breaking down the malware, Gunzweig drew the conclusion that "these were not coded by the same people."

While BlackPOS was used in the Target attack, the malware in the Home Depot breach contained different techniques for copying stolen data to another location on the victims' network before sending it to the hackers.

In addition, the malware used different techniques for identifying card data after payment cards were swiped. The executable used to run the malware was also different.

"Under the hood, everything was different," Grunzweig said. "These were not part of the same malware family."

The Target breach, which occurred during last year's holiday shopping season, exposed more than 40 million debit- and credit-card accounts. Home Depot reported this week that the attack on its payments systems affected all stores in the U.S. and Canada, which service millions of customers a year.

Home Depot did not say how many payment card accounts were affected.

This story, "Researcher Disputes Report BlackPOS Used in Home Depot, Target Attacks" was originally published by CSO.

To comment on this article and other CIO content, visit us on Facebook, LinkedIn or Twitter.
Download the CIO Nov/Dec 2016 Digital Magazine
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.