A security company that worked with the U.S. Secret Service to investigate the data breach at Target identified the malware used in the attack as a sophisticated derivative of a previously known Trojan program designed to steal data from Point-of-Sale (POS) systems.
In a report released Thursday, iSight Partners identified the tool as Trojan.POSRAM, which it described as software that can find, store and transmit credit card and PIN numbers from POS systems.
The Trojan is being used in a "persistent, wide ranging, and sophisticated" cyber campaign dubbed KAPTOXA targeting "many operators" of POS systems, the company warned. Some affected companies may not yet know they've been compromised or have already lost data, the iSight report noted. It did not mention Target as the company that was investigated.
Tiffany Jones, the author of the report, described the POSRAM Trojan as a customized version of BlackPOS, a piece of malware that has been available in the cyber underground since at least last February.
Like BlackPOS, the POSRAM Trojan is designed to steal a card's magnetic stripe data while it is stored momentarily in a POS system's memory, just after a credit or debit card is swiped at the terminal.
After infecting a POS terminal, the malware monitors the memory address spaces on the device for specific information. When it finds something of interest, the software saves the data to a local file and then transfers it to the attackers at preset times. It then is coded to delete the local file to cover its tracks.
According to Jones, at least 75% of the code in POSRAM is similar to the code in BlackPOS. Where POSRAM differs is in the methods it uses to evade detection by anti-malware tools, said Jones, who is a senior vice president of client solutions and support at iSight.
At the time the code was discovered, even fully updated antivirus tools would not have been able to detect the malware. "This software contains a new kind of attack method that is able to covertly subvert network controls and common forensic tactics, concealing all data transfers and executions that may have been run, rendering it harder to detect," the iSight report said.
Because of the ongoing investigation, iSight is not able to disclose how the attackers have managed to install the malware on targeted POS systems, Jones said. But retailers who are concerned about their systems should get in touch immediately with the Secret Service, she said.
Target earlier this month disclosed that sensitive data on 40 million debit and credit cards and other personal information such as emails, phone numbers and full names of an additional 70 million people was compromised in a data breach that occurred over Thanksgiving.
In a subsequent interview with CNBC, Target CEO Gregg Steinhafel confirmed that the compromise followed a breach of its POS systems. Though the company is still trying to figure out what exactly happened, it has been able to determine that malware was installed in its POS systems, he said.
At least three other retailers are believed to have been hit by the same malware, including Neiman Marcus. The names of the other two remain unknown.
Security blogger Brian Krebs, who first broke the story about the Target breach, on Wednesday updated the report with new details about the intrusion.
According to Krebs, sources close to the investigation say attackers managed to somehow upload the malware to Target's POS systems after first breaking into a web server. They then appear to have brazenly set up a control server right within Target's internal network, which they used to store and retrieve data stolen from the POS systems.
"The bad guys were logging in remotely to that [control server], and apparently had persistent access to it," Krebs said.
Krebs described the malware as being roughly 207KB in size and fairly inexpensive -- around $1,800 for a barebones version and $2,300 for a more feature-rich version capable of encrypting stolen data.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is firstname.lastname@example.org.
Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.