Home Depot and Target attackers likely not the same

More details about the malware used in the Home Depot breach have surfaced, and it seems that, after all, it wasn’t the one used in the Target breach (BlackPOS).

According to Trail of Bits CEO Dan Guido and another unnamed source familiar with the investigation, the malware used against Home Depot belongs to a different family of POS RAM scrapers: FrameworkPOS.

The malware has been dubbed thusly because it impersonates McAfee’s antivirus agent. Event though Home Depot doesn’t use McAfee products, this approach was successful as Target’s security team was tricked into not paying attention to the malware.

There are other dissimilarities between the two malware families: the way and place they install themselves, their interaction with the OS, and the obfuscation techniques they use differ considerably.

It’s unknown whether the FrameworkPOS is the malware that Trend Micro researchers recently analyzed and dubbed Memlog.

Guido noted to BusinessWeek that it’s likely that the two breaches haven’t been executed by the same attackers.

The FrameworkPOS’ code includes hidden messages denouncing United States’ support to Ukraine in the latest conflict.

Batches of payment card data stolen from both Target and Home Depot have been and are being sold on the infamous rescator(dot)com underground carder market, but the “dumps” of Home Depot’s cards have been named “European Sanctions” and “American Sanctions,” which seems to indicate that the Home Depot attackers were (partially) politically motivated.




Share this