
Thursday, September 11, 2014

Home Depot Malware Carries Signatures of Anti-American Anti-Imperialist Enemies

Home Depot Malware Carries Signatures of Anti-American Anti-Imperialist Enemies  ---
tags: data breach, malware, target, Home Depot, Russia, Ukraine, Libya, propoganda, Ukrainian stolen credit-card dealer

September 11, 2014 Home Depot Malware Carries Signatures of Anti-American Anti-Imperialist Enemies  Malware used in Home Depot hacking was aided in part by a new variant apparently created June 22, 2014 of that used in cash registers at Target last December, and masqueraded as anti-virus software.  “BlackPOS” (a.k.a. “Kaptoxa”) steals data from infected point-of-sale systems running Microsoft Windows.

While some have speculated that previous attacks may have been sponsored by anti-American foreign agencies from Russia, China or Iran, examination of the software showed that the authors explicitly included anti-American references, including a link to a Wikipedia entry on wars involving the U.S. and a website promoting a book on American imperialism indicating either the authors were working for an enemy of the United States or wanted somebody to think they did.

Some of the hidden messages, including a link to a blog post comparing U.S. military intervention in Libya to its support of the government in Ukraine against a Russian-sponsored rebellion in the east portion of the country. Just like numbers stolen from Target, stolen Home Depot credit card numbers have turned up for sale on a major online emporium called, a Ukrainian stolen credit-card dealer based in Odessa. , which has been linked to the

Krebs: Three of the links point to news, editorial articles and cartoons that accuse the United States of fomenting war and unrest in the name of Democracy in Ukraine, Syria, Egypt and Libya. One of the images shows four Molotov cocktails with the flags of those four nations on the bottles, next to a box of matches festooned with the American flag and match ready to strike. Another link leads to an image of the current armed conflict in Ukraine between Ukrainian forces and pro-Russian separatists.
This is interesting given what we know about Rescator, the individual principally responsible for running the store that is selling all of these stolen credit and debit cards. In the wake of the Target breach, I traced a long list of clues from Rescator’s various online identities back to a young programmer in Odessa, Ukraine. In his many personas, Rescator identified himself as a member of the Lampeduza cybercrime forum, and indeed this site is where healerts customers about new batches of stolen cards.
As I discovered in my profile of Rescator, he and his crew seemed somewhat taken with the late despotic Libyan leader Muammar Gaddafi, although they prefer the phonetic spelling of his name. The Web site kaddafi[dot]hk was among four main carding shops run by Rescator’s crew (it has since been retired and merged with Rescator[dot]cc). The domain kaddafi[dot]me was set up to serve as an instant message Jabber server for cybercrooks, advertising its lack of logging and record keeping as a reason crooks should trust kaddafi[dot]me to handle their private online communications.
When I reached out to Rescator last December to obtain comment about my findings on his apparent role in the Target break-in, I received an instant message reply from the Jabber address “kaddafi@kaddafi[dot]me” (in that conversation, the person chatting with me from that address offered to pay me $10,000 if I did not run that story; I declined). But I also discovered that the kaddafi[dot]me domain was a blog of sorts that hosted some harsh and frankly chilling anti-American propaganda.
The entire three-part manifesto posted on the kaddafi[dot]me home page is no longer available, but a professionally translated snippet of this tirade reads:
“The movement of our Republic, the ideology of Lampeduza – is the opposition to Western countries, primarily targeting the restoration of the balance of forces in the world. After the collapse of the USSR, we have lost this fragile equilibrium face of the planet. We – the Senate and the top people of the Republic are not just fighting for survival and our place under the sun, we are driven by the idea! The idea, which is ​​living in all of us – to return all that was stolen and taken from our friendly countries grain by grain! We are fighting for a good cause! Hot blood is flowing in us, in citizens, who want to change situation in the world. We do not bend to other people’s opinions and desires, and give an adequate response to the Western globalism. It is essential to be a fighter for justice!
Perhaps we would be living completely differently now, if there had not been the plan of Allen Dulles, and if America had not invested billions in the collapse of the USSR. We were deprived of a common homeland, but not deprived of unity, have found our borders, and are even closer to each other. We saw the obvious principles of capitalism, where man to a man is a wolf [[see here for more context on this metaphor]]. Together, we can do a lot to bring back all the things that we have been deprived of because of America! We will be heard!
Citizens of Lampeduza – “free painters” ready to create and live the idea for the good of the Motherland — let’s first bend them over, and then insert deeper!!!
Google-translated version of Kaddafi[dot]me homepage.
picture used in this article

No caption needed

by 1389 on MARCH 18, 2014
View image on Twitter

Cameron warns against Islamic extremism (intervention will land in Iraq?).The Bishop of Manchester reproached the authorities the war in Iraq, which has worsened the situation of Christians in the Middle East.

Rate this Entry

08/17/2014 (IAR) - David Cameron warns of threat to the world from the Muslim caliphate in Iraq and Syria. British Prime Minister in the publication of "The Sunday Telegraph" writes about the "generational struggle of the poisonous variety of Islamic extremism."
Great Britain will be forced to "use all its military force" - emphasizes the Prime Minister Cameron, because otherwise "the terrorists with murderous intentions will continue to threaten the British public."Prime Minister expresses concern that the fight against extremism will take the rest of his political career. David Cameron adds: "This threat can not be removed only attacks from the air."
This seems to indicate the use of ground forces , but David Cameron avoided, however, further development of this thread. Postulated while wide international cooperation: humanitarian, diplomatic, intelligence and military and support the new government of Iraq by the world community - in particular the countries of the region - from Turkey to the Persian Gulf.
On the basis of the UK sees the need for a vigorous police action and intelligent political reaction to isolate indigenous Islamic extremists.
British Prime Minister says that the ISIL and caliphate in Iraq and Syria are "clear threat and a huge challenge for Europe , but it is possible to overcome if you mobilize the political will to defend our values ​​and way of life. Because of it's not - end British Prime Minister an article in the "Sunday Telegraph" - and we have no other option but to meet this challenge. "
Radio Information Agency (IAR) Gregory Drymer, London / dyd
08/17/2014 (IAR) - One of the hierarchs of the Church of England accused the government in London that hides its head in the sand on the Christians in Iraq. The Bishop of Manchester, David Walker believes that Britain must grant asylum and accept a permanent part of Iraqi refugees.
The Bishop of Manchester said it happens on the day on which the Prime Minister David Cameron has published in the "Sunday Telegraphie" article on the dangers to the United Kingdom from the jihadists of the caliphate in Iraq and Syria. Bishop David Walker stressed in an interview with the BBC that much more threatened by jihadists are Iraqi Christians, and Britain has a special responsibility for their fate: "Christians and other vulnerable groups is increasingly difficult to continue to live in areas where their community for centuries coexisted with its neighbors. That's because more than 10 years ago, our country took part in the invasion of Iraq. We cause our actions, that these people have now where you live. " Bishop of Manchester believes that Britain should grant them asylum: "What is the final position of the government? Are we ready to take our portion of exiles, who will have somewhere else to rebuild their lives? "Meanwhile, Prime Minister David Cameron said so far only about granting any aid to refugees in Iraq, but did not mention the possibility of bringing them to the UK.
Radio Information Agency (IAR) Gregory Drymer / London / em /
Source: stooq.plUSA, Ukraine, Syria, Iraq, Iran

One of the images linked to in the guts of the BlackPOS code.
Flag of Ukraine.svg
Image result for flag of iraq


Alternative theory: Does this tie the attack to the anti-American side of the Libya and Ukraine issues, which has been Russia / Iran? The batch of numbers was labeled "American sanctions" which appears to indicate it is retaliation for sanctions against Russia in response to Russian aggression.

Alternative disinfo? (comments on krebs)
malware researcher
There are number of reverse engineers / malware analysts right now digging though the sample that TrendMicro is blogging about. (b57c5b49dab6bbd9f4c464d396414685)
There is a growing opinion that this shares very little to no code with BlackPOS.
Many different POS malware families will dump RAM and scrape for CC data using some algorithm to validate. While it’s a sensational headline, this is simply not looking like the case.

Home Depot’s Malware Hints That Its Hackers Weren’t Target’s By Dune Lawrence and Michael Riley  Sep 11, 2014 2:The malware code is sprinkled with anti-American references, including a link to a Wikipedia entry on wars involving the U.S. and a website promoting a book on American imperialism. The references have no relation to the way the software functions and appear to be meant as a message from the hackers, the second researcher said.


Home Depot’s Malware Hints That Its Hackers Weren’t Target’s By Dune Lawrence and Michael Riley  Sep 11, 2014 2:The malware code is sprinkled with anti-American references, including a link to a Wikipedia entry on wars involving the U.S. and a website promoting a book on American imperialism. The references have no relation to the way the software functions and appear to be meant as a message from the hackers, the second researcher said.

  1. Home Depot Hit By Same Malware as Target — Krebs on ...

    Brian Krebs
    4 days ago - “We surmise that this new BlackPOS malware uses the same ... about America's role in foreign conflicts, particularly in Libya and Ukraine.

  1. Home Depot Hack The Result Of New Variant Of BlackPOS ...

    2 days ago - As it turns out, that happens to be the case, with the point-of-sale malware. ... This malware is designed to siphon information from the credit card after it's swiped, ... current conflicts - mostly those to do with Libya and Ukraine.

No comments:

Post a Comment