Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Revealed: POS Malware Used in Target Attack

News Feeder
News Feeder
in Malware Reverse Engineering

Featured Replies

Posted

Security journalist Brian Krebs revealed details yesterday surrounding the malware sample used in the Target cyber-attacks, which originally took place November 27 – December 15, 2013.

On Sunday, Target CEO and President Gregg Steinhafel conducted an interview with CNBC over the recent Target security breach. During that interview, he mentioned that a malware infection was involved, but no specific samples were identified.

TargetLogo

According to Krebs, a report of the malware used during the breach was uploaded to ThreatExpert, an automated analysis system run by Symantec.

The report has since been removed, but Krebs managed to save a copy of the cached report (found here on his website). Afterward, a “source close to the investigation” tied that report to a malware family Symantec identifies as Infostealer.Reedum.

Reedum is a POS ram scraper malware, a type that scans memory within processes and “scrapes” out anything useful. For POS malware, this is usually Track 2 credit card information that can be used to create a forged copy using special equipment.

I managed to acquire a copy of the Reedum malware, with the first sample uploaded to Virustotal in July of 2012.

When executed, it’s pretty straightforward about what it’s doing; below is a dialog box showing the process scan:

download

Back in March of 2012, French security Researcher Xylitol analyzed an older version of Reedum from an infected POS system. The sample doesn’t appear to be as robust, but still contains the same functionality. You can see it on his blog here.

Target hasn’t spoken out about how the breach happened, but it’s believed that a web server was compromised  and then a control server was established.

Krebs is currently investigating the author of the malware, called “BlackPOS” in underground criminal forums. For more information, see his full blog here.

_________________________________________________________________

Joshua Cannell is a Malware Intelligence Analyst at Malwarebytes where he performs research and in-depth analysis on current malware threats. Follow him on Twitter @joshcannell

View the full article

here (supposedly)


 


http://carder4africa.blogspot.com/


 


though i think these may be generic versions of the real BlackPOS ( i havent looked at em)


Edited by JMC31337

Dumps grabber new 2014.rar


 


pass:infected


 


 


2014-01-17 Gen:Variant.Graftor.Elzob.20469

 


2014-01-17 W32/Delf.SGH!tr

 


2014-01-16 Trojan.Siscos!W3ttDAsoIpM

 


2014-01-16 Niets gevonden

 


2014-01-16 Trojan.Siscos.pkl

 


2014-01-17 Gen:Variant.Graftor.Elzob.20469

 


2014-01-16 Win32:Malware-gen

 


2014-01-17 Gen:Variant.Graftor.Elzob.20469

 


2014-01-16 Delf.AKTA

 


2014-01-16 Trojan-Dropper.Delf

 


2014-01-16 TR/Dropper.Gen

 


2014-01-17 Trojan.Win32.Siscos.pkl

 


2014-01-17 Gen:Variant.Graftor.Elzob.20469

 


2014-01-16 Generic

 


2014-01-17 PUA.Win32.Packer.Pequake-3

 


2014-01-16 Niets gevonden

 


2014-01-16 Troj.W32.Siscos.pkl

 


2014-01-17 Troj/Trackr-Gen

 


2014-01-17 Trojan.DownLoad3.24413

 


2014-01-15 BKDR_DEXTR.B

 


2014-01-17 Gen:Variant.Graftor.Elzob.20469

 


2014-01-15 Trojan.Siscos

 


2014-01-16 multiple threats

 


 


Blackpos.rar


pass:infected


 


 


 


2014-01-17 Gen:Variant.Graftor.Elzob.20469

 


2014-01-17 W32/POSCardStealer.B!tr.spy

 


2014-01-16 TrojanSpy.POSCardStealer!CAj+V6K7Vww

 


2014-01-17 Niets gevonden

 


2014-01-16 Trojan.Siscos.pkl

 


2014-01-17 Gen:Variant.Graftor.Elzob.20469

 


2014-01-16 Win32:Malware-gen

 


2014-01-17 Gen:Variant.Graftor.Elzob.20469

 


2014-01-16 Delf.AKTA.dropper

 


2014-01-16 Trojan-Dropper.Delf

 


2014-01-16 TR/Malex.E.1634

 


2014-01-17 Trojan.Win32.Siscos.pkl

 


2014-01-17 Gen:Variant.Graftor.Elzob.20469

 


2014-01-16 Niets gevonden

 


2014-01-17 PUA.Win32.Packer.Pequake-3

 


2014-01-17 Backdoor.Bezigate

 


2014-01-16 Troj.W32.Siscos.pkl

 


2014-01-17 Troj/Trackr-Gen

 


2014-01-17 Trojan.DownLoader9.58055

 


2014-01-15 BKDR_DEXTR.B

 


2014-01-17 Gen:Variant.Graftor.Elzob.20469

 


 Maximumtijd verstreken

 


2014-01-16 multiple threats

Edited by JMC31337

  • 1 month later...

Theirs some skill behind this because scanning patterns of bytes from 00000000-6fffffff quickly isn't easy as it seems

 

really ?

do a ReadProcessMemory and parsing the memory in search of credit card track2 using regex isn't hard at all, a 10 years old can write such malware.

and same for counter-attack, in like 100 lines of code you could literally prevent all POS malware from functioning

 

Regards

    •
    • Like 1
    • 2 weeks later...


    i don't think the actual malware - or variant for that matter - is what blew the lit off Target.


    To me it revolves all about how it was distributed via service updates to all the end-points.


    The one piece missing from all the reports is the location of the POS server.


    Is it housed at a Target-owned facility or a dedicated server at a POS farm.

    Create an account or sign in to comment

    Go to topic listing

    Configure browser push notifications
    Chrome (Android)
    1. Tap the lock icon next to the address bar.
    2. Tap Permissions → Notifications.
    3. Adjust your preference.
    Chrome (Desktop)
    1. Click the padlock icon in the address bar.
    2. Select Site settings.
    3. Find Notifications and adjust your preference.