Home Depot Breach May Not Be Related To BlackPOS, Target

New analysis of the malware earlier identified as a BlackPOS variant leads some researchers to believe that they are two different malware families entirely.

Reports emerged
earlier this week that a BlackPOS variant discovered last month by Trend Micro was to blame for the data breach at Home Depot, raising speculation that the breach was carried out by the same group that breached Target and with the same malware. But new analysis has led some researchers to believe that it isnt related to BlackPOS at all.
As Josh Grunzweig wrote
on the nuix Unstructured blog: After careful review of both [malware] samples, I don’t believe the sample in question is actually part of the BlackPOS malware family. While I thought Trend Micro’s technical analysis was fantastic and overall a good read, it does not clearly identify a connection between the two samples.
Grunzweig points to a number of ways in which the malware variants differ:
Subsystems were configured differently. BlackPOS was written with a Windows subsystem, while the new malware was written with a console option.
Installation differs. BlackPOS was configured to be run without any command-line arguments, while the new malware uses several command-line arguments. Also, the new malware uses a service dependency technique that BlackPOS does not. The new malware adds itself as a dependency to another service, to prevent itself from being easily removed.
String obfuscation techniques differ. BlackPOS uses character shifts, while the new malware uses an XOR encryption routine.
Although both malware variants dump harvested card data to a fake DLL file, they format and obfuscate that data differently. BlackPOS includes a command in the data format and obfuscates it with a customized version of Base64. The new malware includes the victims IP address in the format and obfuscates it with a substitution cipher.
Both malware move the harvested data through network shares, but their techniques differ. BlackPOS uses direct system calls, while the new malware writes out to a batch script and executes with a call to a CreateProcessA() Windows API.
The malware calls to different APIs for process enumeration vary. BlackPOS uses EnumProcess(), and the new malware uses CreateToolhelp32Snapshot.
Lastly, BlackPOS uses a more focused whitelist approach to finding processes to target, while the new malware uses a blacklist.
Jeremy Humble and Nick Hoffman from CBTS Advanced Cyber Security
point out
that the two pieces of malware also use different algorithms to process credit card data.
Said Grunzweig, A single difference, or perhaps a couple of differences, might be the result of minor changes in a code base. However, the number and degree of variances between these two samples are a clear indication that they were more than likely coded by different people.
The bottom line is even if the malware isnt a BlackPOS variant, its still powerful. While this particular sample may not be the newest variant of BlackPOS, it is still very much a serious threat. It employs a number of simple tactics that make it difficult to detect without specific knowledge of the malware family itself, he said. Overall, I think we can all agree that no matter what this family of malware is called, it still certainly has the capability to steal a wealth of information.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Home Depot Breach May Not Be Related To BlackPOS, Target