Kaptoxa (pronounced kar-toe-sha) is a type of point-of-sale (POS) malware designed to compromise payment information systems.
This malware, a type of memory-scraping malware, is believed to have been used in several retail data security breaches in 2013, including the attack that compromised the payment data of as many as 70 million customers who shopped at Target, the second-largest discount retailer in the United States. Kaptoxa, which is Russian slang for "potato," has also been nicknamed the "potato malware."
Kaptoxa was designed to reside in POS terminals and monitor the information being processed by payment application programs. Though payment card security best practices require that merchants encrypt credit card data at the point of sale, in most cases there is a brief period during the payment authorization process when payment card data is stored unencrypted in RAM. This is the point at which Kaptoxa is able to access and copy payment card data, including credit and debit card numbers, personal identification numbers (PINs), expiration dates, email addresses, consumer addresses and telephone numbers.
Once copied, the data resides on affected POS terminals for a period of time until it is aggregated to a central location. In the Target breach, the malware checked the local time every seven hours, and if it was between 10:00 a.m. and 5:00 p.m., it would send the information over a temporary NetBIOS share to an internal host inside the compromised network over TCP port 139, 443 or 80. From this host, the attacker used a series of remote FTP transfers to retrieve the stolen data.
A report issued by computer research firm iSIGHT Partners in conjunction with the U.S. Secret Service, Department of Homeland Security and Financial Service Information Sharing and Analysis Center confirmed that Kaptoxa – also known by its file name, "Trojan.POSRAM" – was derived from the BlackPOS malware and was written partially in Russian.
According to a January 2014 iSIGHT analysis, Kaptoxa had a 0% detection rate among the major commercial antimalware products. Target says that none of its 40 commercial antimalware tools flagged Kaptoxa as malicious. It also bypassed more than two dozen antimalware tools employed by federal investigators in their December 2013 analysis, causing them to call Kaptoxa one of the most scalable and sophisticated malware instances in history.