Reports emerged earlier this week that a BlackPOS variant discovered last month by Trend Micro was to blame for the data breach at Home Depot, raising speculation that the breach was carried out by the same group that breached Target and with the same malware. But new analysis has led some researchers to believe that it isn't related to BlackPOS at all.
As Josh Grunzweig wrote on the nuix "Unstructured" blog: "After careful review of both [malware] samples, I don’t believe the sample in question is actually part of the BlackPOS malware family. While I thought Trend Micro’s technical analysis was fantastic and overall a good read, it does not clearly identify a connection between the two samples."
Grunzweig points to a number of ways in which the malware variants differ:
- Subsystems were configured differently. BlackPOS was written with a Windows subsystem, while the new malware was written with a console option.
- Installation differs. BlackPOS was configured to be run without any command-line arguments, while the new malware uses several command-line arguments. Also, the new malware uses a service dependency technique that BlackPOS does not. The new malware adds itself as a dependency to another service, to prevent itself from being easily removed.
- String obfuscation techniques differ. BlackPOS uses character shifts, while the new malware uses an XOR encryption routine.
- Although both malware variants dump harvested card data to a fake DLL file, they format and obfuscate that data differently. BlackPOS includes a command in the data format and obfuscates it with a customized version of Base64. The new malware includes the victim's IP address in the format and obfuscates it with a substitution cipher.
- Both malware move the harvested data through network shares, but their techniques differ. BlackPOS uses direct system calls, while the new malware writes out to a batch script and executes with a call to a CreateProcessA() Windows API.
- The malware calls to different APIs for process enumeration vary. BlackPOS uses EnumProcess(), and the new malware uses CreateToolhelp32Snapshot.
- Lastly, BlackPOS uses a more focused whitelist approach to finding processes to target, while the new malware uses a blacklist.
Jeremy Humble and Nick Hoffman from CBTS Advanced Cyber Security point out that the two pieces of malware also use different algorithms to process credit card data.
Said Grunzweig, "A single difference, or perhaps a couple of differences, might be the result of minor changes in a code base. However, the number and degree of variances between these two samples are a clear indication that they were more than likely coded by different people."
The bottom line is even if the malware isn't a BlackPOS variant, it's still powerful. "While this particular sample may not be the newest variant of BlackPOS, it is still very much a serious threat. It employs a number of simple tactics that make it difficult to detect without specific knowledge of the malware family itself," he said. "Overall, I think we can all agree that no matter what this family of malware is called, it still certainly has the capability to steal a wealth of information."