The malware apparently behind the Target breach of approximately 110 million customer credit cards and  personal records was known as KAPTOXA, according to a report released today.

iSight Partners, which did not specifically identify Target, stated that it had been working since December 18th, 3 days post the Target attack being launched, with the US Secret Service (USSS) US-CERT to “characterize newly identified malware associated with the KAPTOXA operation, which is behind a large-scale point-of-sale (POS) cyber crime breach.”

iSight Partners described the malware as a memory-scraping tool that grabs card data directly from POS terminals, stores it on the victim’s system only to to be retrieved by the attackers over the Internet at a later time.

It said KAPTOXA involved the use of a new malware variant, called “Trojan.POSRAM,” which is specifically designed to extract payment card details from POS systems. It noted that multiple data points suggested that Trojan.POSRAM was a derivative of “BlackPOS,” another type of POS malware.

Security journalist Brian Krebs, who broke the story about the Target breach earlier also had identified the malware used against Target as likely being based on BlackPOS. Krebs said the breaches occurred “not long after Antikiller (Russian speaking) began offering his BlackPOS crimeware for sale.”

iSight Partners noted that a multi-scanner of all samples at the time of analysis revealed a “zero percent detection” rate and said that anti-malware technology would likely not have detected the attack, which was from a formerly unknown family of code.

KAPTOXA works by monitoring memory address spaces used by a specific program that process the data embossed in the magnetic strip of credit and debit cards. It then grabs the data from memory and stores it on the victim’s system and then every seven hours the malware (Trojan) checks  to see if the local time is between the hours of 10 AM and 5 PM. If the time is during that specified range, the Trojan attempts to export the data over a temporary NetBIOS share to an internal host inside the compromised network.

Leave a Reply