Intelligence firm IntelCrawler announced a few days ago that the author of the BlackPOS/Kaptoxa malware used in the attack against Target and Neiman Marcus retailers a teenager known in the underground with the pseudonym of Ree.
The first sample of malware was created in March 2013, first documented use of BlackPOS were in Australia, Canada and the US. The first name assigned to the malicious code was “Kaptoxa” (“potato” – in Russian slang), which then was renamed to “DUMP MEMORY GRABBER by Ree” for forum postings, but the title for Command & Control server maintained string “BlackPOS“. Ree is not directly responsible for the attack, he sold the BlackPOS to other cyber gangs from Eastern Europe and other countries, it seems that the owners of underground credit cards shops “.rescator“, “Track2.name”, “Privateservices.biz” and many others were his clients.
“The original source code was authored by actor “ree” (for more information and attribution, see iSIGHTPartners. “Analysis of “Dump memory Grabber” Point-of-Sale Malware,” Malware Report #13-25113. April 8, 2013; and “Attribution for Russian Actor “Ree,” Seller of a Credit card RAM Memory Grabber”, Intel-792666. April 11, 2013″
IntelCrawler update also anticipated that several other breaches may be revealed soon, the technique to infect POS systems with memory grabber is consolidated in the cybercrime ecosystem, poorly configured POS and lack of security best practices (e.g. The use of weak passwords) advantaged the cyber criminals.
Who is Ree?
In the last I preferred to not reveal the name if the young guy, but now it is public, Intercrawler revealed that alleged Russian hacker and malware developer is Sergey Taraspov (ree4), this is the name of the author of BlackPOS.
Sergey Taraspov is based in St.Petersburg and Nizhniy Novgorod (Russian Federation) and he is a very well-known programmer of malicious code in the underground. I
“He is still visible for us, but the real bad actors responsible for the past attacks on retailers such as Target and Neiman Marcus were just his customers”, comments Dan Clements, IntelCrawler President.
Before both breaches IntelCrawler detected large-scale RDP brute-forcing attacks on Point-of-Sales terminals across the US, Australia and Canada started at the beginning of 2013 year in winter period with weak passwords such as:
"pos":"pos"; "micros":"micros" (MICROS Systems, Inc. - Point-of-Sale Hardware); "edc":"123456" (EDC - Electronic Draft Capture).
Today I propose you a new exclusive update from security researchers at IntelCrawler on the author of BlackPOS. The author of BlackPOS is the bad actor with nickname “ree4” or “ree”, he started to sell this malware on one of underground forums called “Exploit.in” under the same nick at the beginning of 2013 as visible in the following screenshot:
Despite the author of blackPOS malware is a cyber expert, it seems that he has ignored the power of social networking platform, and the possibility to use them for OSINT purposes. One profile of the popular Russian social network VKontakte has the same nickname as BlackPOS author https://vk.com/ree4_ree4. Obviously this is not a body of evidence, but researcher at IntelCrawler noted that one of the interest of the owner of the page is “coding” and it was checked that one of his emails is linked to this page through password recovery option by email.
According to operative information from IntelCrawler, the person behind the nickname “ree” is Rinat Shibaev, working closely with Sergey Taraspov, who was acting as his technical support, having roots in St.Petersburg (Russian Federation), very well-known coder of malicious code in the underground.
Let’s wait for new updates from Andrew Komarov, Dan Clements and the experts at IntelCrawler.
IntelCrawler.com is a multi-tier intelligence aggregator, which gathers information and cyber prints from a starting big data pool of over 3, 000, 000, 000 IPv4 and over 200, 000, 000 domain names, which are scanned for analytics and dissemination to drill down to a desired result. This finite pool of cyber prints is then narrowed further by comparing it to various databases and forum intelligence gathered from the underground and networked security company contacts. The final result could be the location of a particular keyboard or a computer housing the threat.
(Security Affairs – BlackPOS, IntelCrawler)