News Feeder Posted January 16, 2014 Share Posted January 16, 2014 Security journalist Brian Krebs revealed details yesterday surrounding the malware sample used in the Target cyber-attacks, which originally took place November 27 – December 15, 2013. On Sunday, Target CEO and President Gregg Steinhafel conducted an interview with CNBC over the recent Target security breach. During that interview, he mentioned that a malware infection was involved, but no specific samples were identified. According to Krebs, a report of the malware used during the breach was uploaded to ThreatExpert, an automated analysis system run by Symantec. The report has since been removed, but Krebs managed to save a copy of the cached report (found here on his website). Afterward, a “source close to the investigation” tied that report to a malware family Symantec identifies as Infostealer.Reedum. Reedum is a POS ram scraper malware, a type that scans memory within processes and “scrapes” out anything useful. For POS malware, this is usually Track 2 credit card information that can be used to create a forged copy using special equipment. I managed to acquire a copy of the Reedum malware, with the first sample uploaded to Virustotal in July of 2012. When executed, it’s pretty straightforward about what it’s doing; below is a dialog box showing the process scan: Back in March of 2012, French security Researcher Xylitol analyzed an older version of Reedum from an infected POS system. The sample doesn’t appear to be as robust, but still contains the same functionality. You can see it on his blog here. Target hasn’t spoken out about how the breach happened, but it’s believed that a web server was compromised and then a control server was established. Krebs is currently investigating the author of the malware, called “BlackPOS” in underground criminal forums. For more information, see his full blog here. _________________________________________________________________ Joshua Cannell is a Malware Intelligence Analyst at Malwarebytes where he performs research and in-depth analysis on current malware threats. Follow him on Twitter @joshcannell View the full article Link to comment Share on other sites More sharing options...
JMC31337 Posted January 17, 2014 Share Posted January 17, 2014 (edited) here (supposedly) http://carder4africa.blogspot.com/ though i think these may be generic versions of the real BlackPOS ( i havent looked at em) Edited January 17, 2014 by JMC31337 Link to comment Share on other sites More sharing options...
JMC31337 Posted January 17, 2014 Share Posted January 17, 2014 (edited) Dumps grabber new 2014.rar pass:infected 2014-01-17 Gen:Variant.Graftor.Elzob.20469 2014-01-17 W32/Delf.SGH!tr 2014-01-16 Trojan.Siscos!W3ttDAsoIpM 2014-01-16 Niets gevonden 2014-01-16 Trojan.Siscos.pkl 2014-01-17 Gen:Variant.Graftor.Elzob.20469 2014-01-16 Win32:Malware-gen 2014-01-17 Gen:Variant.Graftor.Elzob.20469 2014-01-16 Delf.AKTA 2014-01-16 Trojan-Dropper.Delf 2014-01-16 TR/Dropper.Gen 2014-01-17 Trojan.Win32.Siscos.pkl 2014-01-17 Gen:Variant.Graftor.Elzob.20469 2014-01-16 Generic 2014-01-17 PUA.Win32.Packer.Pequake-3 2014-01-16 Niets gevonden 2014-01-16 Troj.W32.Siscos.pkl 2014-01-17 Troj/Trackr-Gen 2014-01-17 Trojan.DownLoad3.24413 2014-01-15 BKDR_DEXTR.B 2014-01-17 Gen:Variant.Graftor.Elzob.20469 2014-01-15 Trojan.Siscos 2014-01-16 multiple threats Blackpos.rarpass:infected 2014-01-17 Gen:Variant.Graftor.Elzob.20469 2014-01-17 W32/POSCardStealer.B!tr.spy 2014-01-16 TrojanSpy.POSCardStealer!CAj+V6K7Vww 2014-01-17 Niets gevonden 2014-01-16 Trojan.Siscos.pkl 2014-01-17 Gen:Variant.Graftor.Elzob.20469 2014-01-16 Win32:Malware-gen 2014-01-17 Gen:Variant.Graftor.Elzob.20469 2014-01-16 Delf.AKTA.dropper 2014-01-16 Trojan-Dropper.Delf 2014-01-16 TR/Malex.E.1634 2014-01-17 Trojan.Win32.Siscos.pkl 2014-01-17 Gen:Variant.Graftor.Elzob.20469 2014-01-16 Niets gevonden 2014-01-17 PUA.Win32.Packer.Pequake-3 2014-01-17 Backdoor.Bezigate 2014-01-16 Troj.W32.Siscos.pkl 2014-01-17 Troj/Trackr-Gen 2014-01-17 Trojan.DownLoader9.58055 2014-01-15 BKDR_DEXTR.B 2014-01-17 Gen:Variant.Graftor.Elzob.20469 Maximumtijd verstreken 2014-01-16 multiple threats Edited January 17, 2014 by JMC31337 Link to comment Share on other sites More sharing options...
JMC31337 Posted January 23, 2014 Share Posted January 23, 2014 Lil more info on all of this card memory grabbing:http://volatility-labs.blogspot.com/2014/01/comparing-dexter-and-blackpos-target.html?m=1OpenProcessVirtualQueryExReadProcessMemoryTheirs some skill behind this because scanning patterns of bytes from 00000000-6fffffff quickly isn't easy as it seems Link to comment Share on other sites More sharing options...
Xyl2k Posted February 24, 2014 Share Posted February 24, 2014 Theirs some skill behind this because scanning patterns of bytes from 00000000-6fffffff quickly isn't easy as it seems really ? do a ReadProcessMemory and parsing the memory in search of credit card track2 using regex isn't hard at all, a 10 years old can write such malware. and same for counter-attack, in like 100 lines of code you could literally prevent all POS malware from functioning Regards 1 Link to comment Share on other sites More sharing options...
nonspin Posted March 11, 2014 Share Posted March 11, 2014 i don't think the actual malware - or variant for that matter - is what blew the lit off Target.To me it revolves all about how it was distributed via service updates to all the end-points.The one piece missing from all the reports is the location of the POS server.Is it housed at a Target-owned facility or a dedicated server at a POS farm. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now