The malicious program used to compromise Target and other companies was part of a widespread operation using a Trojan tool known as Trojan.POSRAM, according to a new report released Thursday about an operation that investigators have dubbed Kaptoxa The malware is a memory-scraping tool that grabs card data directly from point-of-sale terminals and stores it on the victim’s own system for later retrieval.
The code is based on a previous malicious tool known as BlackPOS that is believed to have been developed in 2013 in Russia, though the new variant was highly customized to prevent antivirus programs from detecting it, according to iSight Partners and an internal report produced by the U.S. Secret Service and other government agencies investigating the breaches.
Security journalist Brian Krebs, who broke the story about the Target and Neiman Marcus attacks, previously reported correctly that the malware used against Target was based on BlackPOS.
According to iSight, which has seen the government report but would not release it, the attackers also used a variety of other malicious tools to penetrate networks, maintain a persistent foothold on them and extract stolen data. iSight does not identify Target or name any other victims of the Kaptoxa tool, but indicates the investigation into Kaptoxa began on December 18, three days after Target says it discovered malware on its point-of-sale systems.
The tool monitors memory address spaces used by specific programs, such as payment application programs like pos.exe and PosW32.exe that process the data embossed in the magnetic strip of credit and debit cards data. The tool grabs the data from memory because some companies transmit card data via a secured channel inside their corporate network, which would prevent the attackers from sniffing the data in transit.