Actionable Indicators for Detection of Signs of Compromise from Target-related Breaches

A lot of press stories and blogs have been written about the Target breach in the last month after Brian Krebs broke the story on December 20th. However, very little detail has been released up until now about how the attack was conducted and actionable intelligence that potential other victims can use to detect signs of similar breaches on their network. CrowdStrike has been collecting and analyzing intelligence about this attack for the past month for our customers and we have decided to make public indicators and signatures that organizations can use to detect these threats. These signatures were designed to not just detect the specific hashes that were uncovered during the Target investigation, which is not terribly useful since most of the malware samples were repackaged or built custom for that environment, but also more generic variants of the malware that the criminals behind target may have used in other intrusions over the last few months. I highly recommend check out two great posts that Brian Krebs published

 

on the analysis of the specific malware samples found at Target in the last 24 hours.
The following YARA and Snort rules can be used to detect some known components of BlackPOS malware used to steal the credit card information from Point of Sales (POS) Terminals at Target as well as the exfiltration tools that the criminals had used to get the stolen data out of the organization.

YARA Rules

rule CrowdStrike_targetbreach_exfil {

 

 

 

meta:

 

 

 

 

 

 

 

description = "Tool Responsible for Exfiltration of CC Data."

 

 

 

 

 

 

 

last_modified = "2014-01-16"

 

 

 

 

 

 

 

version = "1.0"

 

 

 

 

 

 

 

in_the_wild = true

 

 

 

 

 

 

 

copyright = "CrowdStrike, Inc"

 

 

 

strings:

 

 

 

 

 

 

 

$fmt = "data_%d_%d_%d_%d_%d.txt"

 

 

 

 

 

 

 

$scramble1 = ""-BFr423mI_6uaMtg$bxl\sd1iU/0ok.cpe"

 

 

 

 

 

 

 

$scramble2 = "gBb63-t2p_.rkd0uaeU/x1c$s\o4il"

 

 

 

 

 

 

 

$scramble3 = "x"a-201Mt6b3sI$ /ceBok_i\m.rdpU4Fulg"

 

 

 

 

 

 

 

$scramble4 = "omv3.a 1%tNd\4ils60n2Te_w"

 

 

 

 

 

 

 

$scramble5 = "4mei gd2%rob-"

 

 

 

 

 

 

 

$scramble6 = "8pCt1wq_hynlsc0.u9a"

 

 

 

condition:

 

 

 

 

 

 

 

$fmt and 1 of ($scramble*)
}

 

rule CrowdStrike_blackpos_memscanner {

 

 

 

meta:

 

 

 

 

 

 

 

description = "Tool Responsible for Scanning Memory For CC Data."

 

 

 

 

 

 

 

last_modified = "2014-01-16"

 

 

 

 

 

 

 

version = "1.0"

 

 

 

 

 

 

 

in_the_wild = true

 

 

 

 

 

 

 

copyright = "CrowdStrike, Inc"

 

 

 

strings:

 

 

 

 

 

 

 

$message1 = "S region:"

 

 

 

 

 

 

 

$message2 = " found <"

 

 

 

 

 

 

 

$message3 = "> bytes of pattern:<"

 

 

 

 

 

 

 

$message4 = "CC2 region:"

 

 

 

 

 

 

 

$message5 = "CC memregion:"

 

 

 

 

 

 

 

$message6 = "KAPTOXA"

 

 

 

 

 

 

 

$message7 = "=== pid:"

 

 

 

 

 

 

 

$message8 = "scan process with pid for kartoxa and string pattern:"

 

 

 

 

 

 

 

$message9 = "scan process with pid for kartoxa:"

 

 

 

 

 

 

 

 

$message11 = "scan all processes for string pattern:"

 

 

 

 

condition:

 

 

 

 

 

 

 

2 of ($message*)
}

Snort Rules

The following Snort rules can be used to detect potential BlackPOS activity.
alert tcp any any <> 199.188.204.182 21 (msg: "TargetBreach Exfil C2"; sid: xxx;) alert tcp any any <> 50.87.167.144 21 (msg: "TargetBreach Exfil C2"; sid: xxx;) alert tcp any any <> 63.111.113.99 21 (msg: "TargetBreach Exfil C2"; sid: xxx;)

 

For more information on this intelligence, contact the CrowdStrike Global Intelligence Team at intelligence@crowdstrike.com. CrowdStrike Services stands ready to assist any potential victim of this criminal activity with forensic investigative resources. Contact the CrowdStrike Services team at services@crowdstrike.com.
Breaches Stop Here