Jump to content
Tuts 4 You

Revealed: POS Malware Used in Target Attack


News Feeder

Recommended Posts

Security journalist Brian Krebs revealed details yesterday surrounding the malware sample used in the Target cyber-attacks, which originally took place November 27 – December 15, 2013.

On Sunday, Target CEO and President Gregg Steinhafel conducted an interview with CNBC over the recent Target security breach. During that interview, he mentioned that a malware infection was involved, but no specific samples were identified.

TargetLogo

According to Krebs, a report of the malware used during the breach was uploaded to ThreatExpert, an automated analysis system run by Symantec.

The report has since been removed, but Krebs managed to save a copy of the cached report (found here on his website). Afterward, a “source close to the investigation” tied that report to a malware family Symantec identifies as Infostealer.Reedum.

Reedum is a POS ram scraper malware, a type that scans memory within processes and “scrapes” out anything useful. For POS malware, this is usually Track 2 credit card information that can be used to create a forged copy using special equipment.

I managed to acquire a copy of the Reedum malware, with the first sample uploaded to Virustotal in July of 2012.

When executed, it’s pretty straightforward about what it’s doing; below is a dialog box showing the process scan:

download

Back in March of 2012, French security Researcher Xylitol analyzed an older version of Reedum from an infected POS system. The sample doesn’t appear to be as robust, but still contains the same functionality. You can see it on his blog here.

Target hasn’t spoken out about how the breach happened, but it’s believed that a web server was compromised  and then a control server was established.

Krebs is currently investigating the author of the malware, called “BlackPOS” in underground criminal forums. For more information, see his full blog here.

_________________________________________________________________

Joshua Cannell is a Malware Intelligence Analyst at Malwarebytes where he performs research and in-depth analysis on current malware threats. Follow him on Twitter @joshcannell

View the full article
Link to comment

Dumps grabber new 2014.rar


 


pass:infected


 


 


2014-01-17 Gen:Variant.Graftor.Elzob.20469

 


2014-01-17 W32/Delf.SGH!tr

 


2014-01-16 Trojan.Siscos!W3ttDAsoIpM

 


2014-01-16 Niets gevonden

 


2014-01-16 Trojan.Siscos.pkl

 


2014-01-17 Gen:Variant.Graftor.Elzob.20469

 


2014-01-16 Win32:Malware-gen

 


2014-01-17 Gen:Variant.Graftor.Elzob.20469

 


2014-01-16 Delf.AKTA

 


2014-01-16 Trojan-Dropper.Delf

 


2014-01-16 TR/Dropper.Gen

 


2014-01-17 Trojan.Win32.Siscos.pkl

 


2014-01-17 Gen:Variant.Graftor.Elzob.20469

 


2014-01-16 Generic

 


2014-01-17 PUA.Win32.Packer.Pequake-3

 


2014-01-16 Niets gevonden

 


2014-01-16 Troj.W32.Siscos.pkl

 


2014-01-17 Troj/Trackr-Gen

 


2014-01-17 Trojan.DownLoad3.24413

 


2014-01-15 BKDR_DEXTR.B

 


2014-01-17 Gen:Variant.Graftor.Elzob.20469

 


2014-01-15 Trojan.Siscos

 


2014-01-16 multiple threats

 


 


Blackpos.rar


pass:infected


 


 


 


2014-01-17 Gen:Variant.Graftor.Elzob.20469

 


2014-01-17 W32/POSCardStealer.B!tr.spy

 


2014-01-16 TrojanSpy.POSCardStealer!CAj+V6K7Vww

 


2014-01-17 Niets gevonden

 


2014-01-16 Trojan.Siscos.pkl

 


2014-01-17 Gen:Variant.Graftor.Elzob.20469

 


2014-01-16 Win32:Malware-gen

 


2014-01-17 Gen:Variant.Graftor.Elzob.20469

 


2014-01-16 Delf.AKTA.dropper

 


2014-01-16 Trojan-Dropper.Delf

 


2014-01-16 TR/Malex.E.1634

 


2014-01-17 Trojan.Win32.Siscos.pkl

 


2014-01-17 Gen:Variant.Graftor.Elzob.20469

 


2014-01-16 Niets gevonden

 


2014-01-17 PUA.Win32.Packer.Pequake-3

 


2014-01-17 Backdoor.Bezigate

 


2014-01-16 Troj.W32.Siscos.pkl

 


2014-01-17 Troj/Trackr-Gen

 


2014-01-17 Trojan.DownLoader9.58055

 


2014-01-15 BKDR_DEXTR.B

 


2014-01-17 Gen:Variant.Graftor.Elzob.20469

 


 Maximumtijd verstreken

 


2014-01-16 multiple threats
Edited by JMC31337
Link to comment
  • 1 month later...

Theirs some skill behind this because scanning patterns of bytes from 00000000-6fffffff quickly isn't easy as it seems

 

really ?

do a ReadProcessMemory and parsing the memory in search of credit card track2 using regex isn't hard at all, a 10 years old can write such malware.

and same for counter-attack, in like 100 lines of code you could literally prevent all POS malware from functioning

 

Regards

  • Like 1
Link to comment
  • 2 weeks later...


i don't think the actual malware - or variant for that matter - is what blew the lit off Target.


To me it revolves all about how it was distributed via service updates to all the end-points.


The one piece missing from all the reports is the location of the POS server.


Is it housed at a Target-owned facility or a dedicated server at a POS farm.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...