Researchers share more details about the Target POS malware

A handful of security companies have been researching the Target breach, and the information they unearthed is slowly trickling out to satisfy the public’s curiosity as the retailer has yet to share any details.

It has been revealed on Thursday that the malware used to harvest credit card information from Target’s POS systems is nearly identical to a piece of malware sold on underground cybercrime forums under the name of BlackPOS, that it was undetectable by any of the AV solutions used by VirusTotal, that the author of the malware is Russian or Ukrainian, and that the attackers had access to the company’s network for a while.

After those disclosures, several security companies also shared what they know.

Seculert’s Aviv Raff says that the attack was executed in two stages.

“First, the malware that infected Target’s checkout counters (PoS) extracted credit numbers and sensitive personal details. Then, after staying undetected for 6 days, the malware started transmitting the stolen data to an external FTP server, using another infected machine within the Target network,” he reported.

“Further analysis of the attack has revealed the following: On December 2, the malware began transmitting payloads of stolen data to a FTP server of what appears to be a hijacked website. These transmissions occurred several times a day over a 2 week period. Also on December 2, the cyber criminals behind the attack used a virtual private server (VPS) located in Russia to download the stolen data from the FTP. They continued to download the data over 2 weeks for a total of 11 GBS of stolen sensitive customer information.”

Unfortunately, the researchers haven’t managed to find any data on that FTP server, but say that access logs indicate that Target was the only retailer affected.

Cyber threat intelligence firm iSIGHT Partners has also released a report on Thursday. Working in conjunction with the US Secret Service, the Department of Homeland Security, USSS, and FS-ISAC, they discovered that a new piece of malicious software dubbed Trojan.POSRAM has potentially infected a large number of retail information systems.

While in the report they don’t explicitly say that they have analysed malware that was used to hit Target, they say that their investigation started on December 18, a few days after the company made public the fact that their POS systems and the data on them were compromised.

The POSRAM Trojan – a POS memory-scraping tool – is based on the BlackPOS malware, but has apparently been customised to prevent AV solutions from detecting it.

“This software contains a new kind of attack method that is able to covertly subvert network controls and common forensic tactics, concealing all data transfers and executions that may have been run, rendering it harder to detect,” the company explained in the report.

Once again, the information about how the attackers managed to install the POS malware in the first place hasn’t been shared, because the investigation is still underway.