Security Firm IDs Malware Used in Target Attack
A security company that worked with the U.S. Secret Service to investigate the data breach at Target identified the malware used in the attack as a sophisticated derivative of a previously known Trojan.
Thu, January 16, 2014
Computerworld — A security company that worked with the U.S. Secret Service to investigate the data breach at Target identified the malware used in the attack as a sophisticated derivative of a previously known Trojan program designed to steal data from Point-of-Sale (POS) systems.
In a report released Thursday, iSight Partners identified the tool as Trojan.POSRAM, which it described as software that can find, store and transmit credit card and PIN numbers from POS systems.
The Trojan is being used in a "persistent, wide ranging, and sophisticated" cyber campaign dubbed KAPTOXA targeting "many operators" of POS systems, the company warned. Some affected companies may not yet know they've been compromised or have already lost data, the iSight report noted. It did not mention Target as the company that was investigated.
Tiffany Jones, the author of the report, described the POSRAM Trojan as a customized version of BlackPOS, a piece of malware that has been available in the cyber underground since at least last February.
Like BlackPOS, the POSRAM Trojan is designed to steal a card's magnetic stripe data while it is stored momentarily in a POS system's memory, just after a credit or debit card is swiped at the terminal.
After infecting a POS terminal, the malware monitors the memory address spaces on the device for specific information. When it finds something of interest, the software saves the data to a local file and then transfers it to the attackers at preset times. It then is coded to delete the local file to cover its tracks.
According to Jones, at least 75% of the code in POSRAM is similar to the code in BlackPOS. Where POSRAM differs is in the methods it uses to evade detection by anti-malware tools, said Jones, who is a senior vice president of client solutions and support at iSight.
At the time the code was discovered, even fully updated antivirus tools would not have been able to detect the malware. "This software contains a new kind of attack method that is able to covertly subvert network controls and common forensic tactics, concealing all data transfers and executions that may have been run, rendering it harder to detect," the iSight report said.
Because of the ongoing investigation, iSight is not able to disclose how the attackers have managed to install the malware on targeted POS systems, Jones said. But retailers who are concerned about their systems should get in touch immediately with the Secret Service, she said.