Target, Neiman Marcus Malware Creators Identified

Eastern European team developed memory-scraping Kaptoxa (BlackPOS) malware, sold it at least 40 times, says cyber-intelligence firm.

Top 10 Retail CIO Priorities For 2014
Top 10 Retail CIO Priorities For 2014
(Click image for larger view and slideshow.)

A team of at least two developers created the point-of-sale malware used to hack Target, Neiman Marcus, and likely other retailers in the United States, Australia, and Canada.

So said information security intelligence firm IntelCrawler Friday in a report that named a 17-year-old Russian teenager, who used the online handle "ree[4]" (a.k.a. ree4), suspected of being the author of the BlackPOS -- for point-of-sale -- malware. The malware is also known as Kaptoxa, or "potato" in Russian.

But security journalist Brian Krebs, who broke the news of the Target breach in December, questioned IntelCrawler's findings. Subsequently, the intelligence firm updated its research, naming instead a second teenage suspect, who it said shared the ree4 handle with the first suspect. "Intelcrawler apparently just changed its mind about the guy responsible for the Target POS malware," Krebs tweeted Monday. "Now they have the right guy."

The revised research report said that the first suspect was one of several individuals who provided technical support for the newly named suspect -- again, ree4 -- who is a "very well known programmer of malicious code" who appears to be based in St. Petersburg, Russia, while the gang at large appears to be based either in Russia or also former Soviet satellites.

[Sure, malware exists, but is it as bad as the news suggests? See Malware: More Hype Than Reality.]

The Kaptoxa malware was also sold under the name "Dump Memory Grabber," and reportedly found a number of buyers. "Ree4 has sold more than 40 builds of BlackPOS to cybercriminals from Eastern Europe and other countries, including the owners of underground credit cards shops such as '.rescator,' ',' ',' and many others," according to the IntelCrawler report. The firm said that the developers also appear to have sold the source code to several buyers, and modified builds of the code for others.

The malware was advertised on hacking forums as being able to scrape POS device RAM to intercept credit card data, and then dump -- transmit -- that data in batches via FTP to an external server. "This trojan is written on pure C++ without any additional libraries, is used for dumps grabber [and] credit cards from RAM memory of all running processes," according to a translation of a Russian-language advertisement, published by IntelCrawler. "It works on all Windows systems, including x64. It uses mmon.exe for RAM scanning, very silent on the computer, there is a timeout for autorun (we can change it). It can also repeat sending dumps. The log is sent to the gate through FTP, each new log has the date, like 1.09.56-16.02.2013.txt, we can also modify it on email. All questions to [email protected]."

Those details square with what's known about the Target breach, including attackers' using memory-scraping malware and exfiltrating stolen data via FTP to a server in Russia.

Image credit: Robert Scoble.
Image credit: Robert Scoble.

Target warned customers in mid-December that 40 million debit and credit cards had been stolen. Later, it said that attackers had also obtained personal information on 70 million customers. That suggests that the gang behind the Target attack employed more than just POS malware.

People with knowledge of the investigations at Target and Neiman Marcus, speaking on background, have said that the breaches are related, and suggested that at least three more retail firms were likewise compromised. While the Target breach began in late November 2013, recent reports have also suggested that Neiman Marcus was hacked in July 2013, and the breach not fully contained until Jan. 12, 2014.

How much might attackers have spent to successfully hack into POS systems at Target or any other retailer? IntelCrawler said the Kaptoxa malware was being sold for $2,000, or else a 50% cut of all profits made from intercepted credit and debit card data, to be deposited to the developer's Liberty Reserve account.

But the real culprits are arguably the gang or gangs that have been actively employing the POS malware, rather than whoever built the malware. "The real bad actors responsible for the past attacks on retailers such as Target and Neiman Marcus were just his customers," said Dan Clements, president of IntelCrawler, via the company's research report.

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter.

Next-gen intrusion-prevention systems have fuller visibility into applications and data. But do newer firewalls make IPS redundant?Also in the The IPS Makeover issue of Dark Reading Tech Digest: Find out what our 2013 Strategic Security Survey respondents have to say about IPS and firewalls. (Free registration required.)

Comment  | 
Email This  | 
Print  | 
More Insights
Copyright © 2023 UBM Electronics, A UBM company, All rights reserved. Privacy Policy | Terms of Service