SecureState Blog

Read SecureState's award winning blog.

Scanning Tool Effective in Finding Malware Responsible for Massive Retail Data Breaches

In response to recent breaches of several major retailers, SecureState, has developed a custom scanning tool that retailers can run on their systems to detect BlackPOS malware. BlackPOS is the reported culprit behind Target’s massive data breach, it is available on the black market and is also known as KAPTOXA, which is a more advanced version of the original malware.

The tool will scan for service, file, registry and autorun artifacts to determine if any KAPTOXA footprints are present on the POS system.  A confidence output is generated giving the user an indication of a likely compromise.

If the tool has detected any artifacts related to KAPTOXA immediately enact your incident response plan and contract the appropriate management and security teams. Even if the tool outputs no detection, organizations should still consider performing regular system response testing and checkups.

The modular build of the tool allows it to accept new signatures and strands in the scanning portion of the code.  SecureState is welcoming more information from the information security community to develop and continue to improve the indicators of compromise for this and future variants of KAPTOXA, and similar malware.  Therefore, if you have the actual strands or other relevant information artifacts related to the malware and related compromises, please submit to info@securestatein the OpenIOC format if possible to have consideration for inclusion into the tool.

The current version has been tested on all MS Windows versions up to Windows 7 and is freely available for download from SecureState’s website: