Elements of ModPOS date back as far as early 2012. It targeted US retailers in late 2013 and throughout 2014, and is expected to continue to do so in the future. According to iSight Partners, the malware is responsible for the theft of information tied to millions of payment cards so far.
How did it remain (mostly) hidden so far, you ask? Well, the truth is that it’s extremely stealthy, as well as extremely sophisticated, and malware analysts have been having a hell of a time reverse-engineering its modules.
The malware’s individual modules are typically packed kernel drivers, which makes them difficult to detect. So far, researchers have managed to discover three of them: a downloader/uploader, a keylogger, and a POS scraper module. And only the downloader/uploader is detected (as Straxbot) by a single AV solution.
ModPOS also sports several plugins that are meant to collect information about the target system, about the domains, computers and network resources available to the infected system, and username and password information for local and domain accounts. All this information is sent to the attackers.
“From a coding perspective, these samples are much more complex than average malware; there is professional-level coding, and the size, implemented operational security and overall characteristics of the code likely required a significant amount of time and resources to create and debug, and an advanced understanding of how to undermine security identification and mitigation tools and tactics,” the researchers found.
The drivers inject malicious code into a variety of processes, including system, winlogon.exe, firefox.exe, and credit.exe.
“The credit.exe process is notable and related to stealing credit card track data from the POS system’s running memory. This is unique to POS vendors that use this executable as a part of their software,” the researchers explained.
“[We are] confident that the actors customize the malware based on the targeted environment. This malware can also log keystrokes, upload stolen information and download other malware payloads. It uses AES-256-CBC encryption for data storage and transmission, and the encryption key is uniquely generated per victim system.”
The researchers believe the authors have ties with Eastern Europe.
“ModPOS, and most POS malwares, have increased in sophistication. In September and October of 2015, there were several discussions within hacker forums to share information about current POS code and requests for assistance to add more functionality and test the results. The hacker community has been very active sharing information, conducting test, tweaking code and re-testing since the summer months…all preparing for the Holiday shopping season,” says Paul Fletcher, cyber security evangelist at Alert Logic.
“In my opinion, the main points of interest about the increased sophistication of POS malware are the use of encryption and the “anti-forensics” (aka obfuscation or anti-analysis) concepts.”
“The use of encryption by the attacker has been a long time coming, and it’s interesting to me because one of the best practices for security professionals is to use encryption where possible. While some organisations have been slow to adopt the use of encryption, the hacker community embraces this concept and it gives them an edge. This point shows that tools and technology are generally the same being used by attackers and security professionals, giving more proof that security technology solutions alone aren’t enough, people and process built around those security technology solutions are essential,” he pointed out.
“The anti-forensics component of sophisticated malware is an indication that the hacking community has done extensive reconnaissance on multiple POS systems, as well as the support systems (back-end) within the retailers infrastructure. The information gathered about POS systems are freely shared among the hacker community, which allows for a large ‘alpha’ and ‘beta’ test community to ensure the code is functional. While the technology of clearing log files, manipulating time stamps of file systems and hiding network connections is a technical skill, the time and effort to get this right involves a lot of human communication and interaction. This type of information sharing and communication by attackers emulates the type of information sharing and communication needed by security professionals.”
“It certainly could be and may already be in the UK and Europe,” commented Mark James, a security specialist at ESET.
“Malware by design needs to attack as many systems as possible to be effective and the effort used in creating this malware would suggest its intention for long term use. Variants may already be available for distribution or even already in use. Ensuring your POS systems are patched and updated to the latest versions is an absolute must. Make sure you segregate your systems to keep sensitive data in its rightful place and limit its exposure to people or systems that don’t need to see it. Regular network and data monitoring will need to be in place to combat this type of malware and stop it before it causes any damage.”