Threat Management, Incident Response, Malware, TDR, Vulnerability Management

Report indicates KAPTOXA operation led to massive retailer breaches

The operation that likely led to the infection of Target's point-of-sale (POS) systems – allowing attackers to claim data on 40 million payment cards, among heaps of other information – is known as KAPTOXA, according to a release by iSIGHT Partners.

The cyber threat intelligence organization worked collaboratively with the U.S. Secret Service (USSS) to determine that the KAPTOXA operation has resulted in the compromise of several retail information systems.

Although no affected organizations are named in a more extensive KAPTOXA publication – issued by iSIGHT in conjunction with the USSS, Department of Homeland Security, and Financial Services Information Sharing and Analysis Center – the report indicates iSIGHT began investigating impacted retailers beginning on Dec. 18, right around the time Target announced its breach.  

Although several other “technically sophisticated” techniques were used in the attacks iSIGHT investigated, the malware that extracted payment card information from POS systems is dubbed “Trojan.POSRAM” and correlates strongly with another POS malware known as “BlackPOS,” according to the report.

“At the time of discovery and analysis, the malware had a zero percent anti-virus detection rate, which means that fully updated anti-virus engines on fully patched computers could not identify the malware as malicious,” according to the report.

Andrew Komarov, CEO at cyber intelligence company IntelCrawler, has been investigating the BlackPOS malware since March 2013. He suggested that a variant of the BlackPOS malware was used in the recent successful attacks on Target and Neiman Marcus.

In a Friday IntelCrawler release, the author of BlackPOS was identified as 17-year-old Sergey Taraspov, who is said to be well-known in underground circles as a writer of malicious code. Komarov told SCMagazine.com on Thursday that Taraspov has ties to Saint Petersburg and Nizhniy Novgorod and that the malware author should be arrested soon.  

“Some other bad actors really used very similar malware, like Dexter, Alina, or BlackPOS, as all of them work with Windows-based back offices and have typical methods of RAM scraping,” Komarov said, explaining that Taraspov was likely involved in the sale of the product, but not the actual POS attacks.

According to the IntelCrawler release, Taraspov sold more than 40 builds of BlackPOS to criminals in Eastern European countries – among other countries – at about $2,000 a piece, or for half the money earned on sales of stolen card data.

Komarov said more information should be revealed soon on other retailer breaches.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.