IntelCrawler: "The teenager is the author of BlackPOS/Kaptoxa malware (Target), several other breaches may be revealed soon"

Los Angeles, California - January 17, 2014

The massive data breach at Target during the 2013 holiday shopping season which the retailer now admits affected 70 million customers used an inexpensive "off the shelf" malware known as BlackPOS. The same malware may have also been involved in the Neiman Marcus attack.

iSIGHT Partners, working with the U.S. Secret Service, has determined that a new piece of malicious software, KAPTOXA (Kar-Toe-Sha), has potentially infected a large number of retail information systems. A joint publication has been issued by the Department of Homeland Security, USSS, FS-ISAC and iSIGHT Partners. - See more at: http://www.isightpartners.com/2014/01/kaptoxa-pos-report-faq/.

Security researchers from IntelCrawler, a Los-Angeles based cyber intelligence company, announced that BlackPOS malware author was close to 17 years old and the first sample of it was created in March 2013. The first report on this malware was done in the beginning of spring by Andrew Komarov, IntelCrawler CEO, when he was working in another forensics company.

According to IntelCrawler's own sources, the first infected Point-of-Sale environments by BlackPOS were in Australia, Canada and the US. The first name of the malware was a lyric "Kaptoxa" ("potato" - in Russian slang), which was then renamed "DUMP MEMORY GRABBER by Ree[4]" for forum postings, but the title for C&C had the string "BlackPOS". During that time, "Ree[4]" ("ree4") has sold more than 40 builds of BlackPOS to cybercriminals from Eastern Europe and other countries, including the owners of underground credit card shops such as ".rescator", "Track2.name", "Privateservices.biz" and many others. The researchers have also confirmed that several copies of BlackPOS/Kartoxa were sold by him in source codes, and that some experienced cybercriminals asked him for individual mofidications of it.

The bad actor was pretty open about trading this malware for $ 2 000 USD or for 50% from the selling of all intercepted credit cards by his customer through Liberty Reserve.

ree4@exploit.im: http://ree4.7ci.ru/dump_grabber.php
reed4@exploit.im: it is administrative panel
ree4@exploit.in: password "pass"
ree4@exploit.in: http://www.sendspace.com/file/zglgvy
ree4@exploit.in: after infection you will receive "readme.txt", like "ping"

The first C&C server of BlackPOS was installed on "ree4.7ci.ru", which was the personal host of its author with nickname "ree[4]". Some other hosts were found on this domain name, as it was probably used as a hosting for all members of the same group:

- onlyddos.7ci.ru;
- merzavetz.7ci.ru;
- reperckov41.7ci.ru.

17-years-old teenager is the author of BlackPOS/Kaptoxa malware (Target)

ree4@exploit.im: http://plasmon.rghost.ru/44699041/image.png (uploaded by Ree4, March 2013)
hidden: how does it keep the data ( intercepted credit cards)?
reed4@exploit.im: from left side it is files, time.txt, then you click on it and you will find dumps in browser in plaintext
hidden: are there any differences in terms of infected Point-of-Sale systems?
ree4@exploit.im: no, but there are some nuances, for examples it doesn't work on Verifone
hidden: really? I have Verifones ...
reed4@exploit.im: it grabs dumps from memory, Verifone can be connected to PC, but it will be "secured", you need standalone Point-of-Sale terminals with monitor and Windows
hidden: how much?
ree4@exploit.im: 2000 USD
ree4@exploit.im: 1st build

After the analysis, process memory scanning functions were detected:

17-years-old teenager is the author of BlackPOS/Kaptoxa malware (Target)

Some specific strings related to "KARTOXA" were also extracted:

17-years-old teenager is the author of BlackPOS/Kaptoxa malware (Target)

The relation of "ree4" as an author of this malware was also confirmed by additional text strings from compiled binary files by the author:

17-years-old teenager is the author of BlackPOS/Kaptoxa malware (Target)

Also found were some examples that malware was allowed to run in standalone mode:

17-years-old teenager is the author of BlackPOS/Kaptoxa malware (Target)

Previously he has created several tools used in the hacking community for brute force attacks, such as "Ree4 mail brute", and he also earned some initial money with social network accounts hacking and DDoS attacks trainings, as well as software development including malicious code.

17-years-old teenager is the author of BlackPOS/Kaptoxa malware (Target)

Investigators from IntelCrawler have also made a profiling on bad actor:

E-mail 1: ree4@list.ru
E-mail 2: ree4@yandex.ru
ICQ: 565033
Skype: s.r.a.ree4
Profile 1: https://forum.antichat.ru/member.php?u=156947 (ICQ 565033, http://mysoft.h19.ru)
Profile 2: http://www.cyberforum.ru/post3418751.html?langid=3 (ree4@list.ru, "spam bot development")

Originally, the first post on this malware was created by him in one of the underground communities "Exploit.in" in the beginning of 2013:

17-years-old teenager is the author of BlackPOS/Kaptoxa malware (Target)


Buy/Sell - Malware, Exploits, Injects, Crypting
"This trojan is written on pure C++ without any additional libraries, is used for dumps grabber ad credit cards from RAM memory of all running processes. It works on all Windows systems, including x64. It uses mmon.exe for RAM scanning, very silent on the computer, there is a timeout for autorun (we can change it). It can also repeat sending dumps. The log is sent to the gate through FTP, each new log has the date, like 1.09.56-16.02.2013.txt, we can also modify it on email. All questions to ree4@exploit.im"

Update: One of VK social profiles has the same specific nickname as bad actor. One of the interests of the owner of the page is "coding".

17-years-old teenager is the author of BlackPOS/Kaptoxa malware (Target)

it was also checked that one of his emails is linked to this page through password recovery option by email:

17-years-old teenager is the author of BlackPOS/Kaptoxa malware (Target)

17-years-old teenager is the author of BlackPOS/Kaptoxa malware (Target)

According to operative information from IntelCrawler, the person behind the nickname "ree[4]" is Rinat Shibaev, working closely with Sergey Taraspov, who was acting as his technical support together with several other members, having roots in St.Petersburg (Russian Federation), a very well known programmer of malicious code in the underground. All the mentioned factors point to the fact that the roots of the named bad actor are definitely in one of the former USSR countries.

"He is visible to us, but the real bad actors responsible for the past attacks on retailers such as Target and Neiman Marcus were just his customers", - comments Dan Clements, IntelCrawler President. Before both breaches IntelCrawler detected large-scale RDP brute-forcing attacks on Point-of-Sale terminals across the U.S., Australia and Canada starting at the beginning of 2013 in the winter with weak passwords such as:

"micros":"micros" (MICROS Systems, Inc. - Point-of-Sale Hardware);
"edc":"123456" (EDC - Electronic Draft Capture).

February 9th, 2013, 14:30

17-years-old teenager is the author of BlackPOS/Kaptoxa malware (Target)

IP Address:
Latitude & Longitude: 34.052230, -118.243680
Net Speed: (COMP) Company/T1
IDD & Area Code: 213/310/424/323
ZIP Code: 90001
Weather Station: LOS ANGELES (USCA0638)

IP Address:
Latitude & Longitude: 34.002300, -118.211520
Net Speed: (COMP) Company/T1
IDD & Area Code: 213/323
ZIP Code: 90058
Weather Station: LOS ANGELES (USCA0638)
Usage Type: (COM) Commercial

February 21th, 2013, 13:36

17-years-old teenager is the author of BlackPOS/Kaptoxa malware (Target)

IP Address:
Latitude & Longitude: 43.088572, -77.432766
Net Speed: (DSL) Broadband/Cable
IDD & Area Code: 585
ZIP Code: 14450
Weather Station: FAIRPORT (USNY0477)

May 21th, 2013, 18-26
URL: http://d3scene.ru/besplatnye-razdachi-i-pooschreniya/49081-razdacha-dedikov.html

17-years-old teenager is the author of BlackPOS/Kaptoxa malware (Target)

IP Address:
Latitude & Longitude: 39.546295, -104.896772
Net Speed: (COMP) Company/T1
IDD & Area Code: 303
ZIP Code: 80124
Weather Station: PARKER (USCO0306)

According to The New York Times (NYT), Neiman Marcus acknowledged that the time stamp on the first intrusion was in mid-July, which may have a good correlation with found compromised Point-of-Sales.

July 19th, 2013
URL: http://freegaming.ucoz.net/news/razdacha_dedikov/2013-07-19-3
"EDC" - Electronic Draft Capture, also known as "EDC" or "Point Of Sale" (POS) allows you to capture and authorize a credit card.

IP Address:
Latitude & Longitude: 32.044150, -110.734770
Net Speed: (COMP) Company/T1
IDD & Area Code: 520
ZIP Code: 85747
Weather Station: TUCSON (USAZ0247)

September 22nd, 2013, 15:52
URL: http://ccc.gs/topic/2405-razdacha-dedikov/

17-years-old teenager is the author of BlackPOS/Kaptoxa malware (Target)

IP Address:
Latitude & Longitude: 34.406069, -118.535302
Net Speed (DSL): Broadband/Cable
IDD & Area Code: 661
ZIP Code: 91355
Weather Station: STEVENSON RANCH (USCA1095)

"Most of the victims are department stores. More BlackPOS infections, as well as new breaches can appear very soon, retailers and the security community should be prepared for them", commented Andrew Komarov, IntelCrawler CEO.

This website contains links or references to other internet sites maintained by third parties. IntelCrawler makes no representations, warranties or assurances as to any information on such sites and has no responsibility for their content, accuracy, currency or completeness and shall not be liable for any damages or injury arising from that content, accuracy, currency or completeness. Any links to other sites are provided merely as a convenience to the users of this website.

About IntelCrawler

IntelCrawler.com is a multi-tier intelligence aggregator, which gathers information and cyber prints from a starting big data pool of over 3, 000, 000, 000 IPv4 and over 200, 000, 000 domain names, which are scanned for analytics and dissemination to drill down to a desired result. This finite pool of cyber prints is then narrowed further by comparing it to various databases and forum intelligence gathered from the underground and networked security company contacts. The final result could be the location of a particular keyboard or a computer housing the threat.