Retailers warned of 'most advanced POS malware ever'

News by Tim Ring

iSIGHT says it has discovered the most advanced POS malware it has ever seen, with the ability to customise its attacks to individual victims.

The “most sophisticated” card-stealing malware seen to date, which can evade almost all security systems, has been discovered by iSIGHT Partners targeting US retailers.

Threat intelligence firm iSIGHT says the ModPOS point-of-sale (POS) malware likely originates in Eastern Europe and has been secretly attacking retail and possibly food services, hospitality and healthcare companies since at least 2013.

iSIGHT senior director Stephen Ward branded ModPOS as the “most sophisticated point of sale malware we have seen to date”.

iSIGHT has been privately warning ”numerous” retail and other companies involved with payment systems about the threat over the past two weeks but has now gone public.

Ward explained in a 24 November blog: “We believe this very hard-to-detect malware is likely being used in broader campaigns and [we] are disclosing details to help retailers and other organisations with POS and other payment processing systems hunt for and eradicate the malware.

“We know that US retailers have been targeted and believe it is very likely that criminal actors are seeking to compromise additional victims beyond those identified.”

The attacks are coming at the worst possible time for retailers in the run-up to Black Friday and the Christmas shopping period.

ModPOS has managed to stay hidden through its sophisticated structure, Ward said: “It has taken our malware analysis ninjas a substantial amount of time to reverse engineer the software. In a nutshell, this is not your daddy's run-of-the-mill cyber-crime malware. ModPOS can go undetected by numerous types of modern security defences.”

Dallas-based iSIGHT says ModPOS has three core modules – an uploader/downloader, keylogger and POS scraper module – which are almost entirely unknown to security software systems: “Anti-virus detections are non-existent for all but the uploader/downloader module, which a well-known AV software company has detected as Straxbot with a ‘low risk' rating, and no hint exists of it being related to POS malware.”

iSIGHT explained: “The injected shellcode is a full-fledged program written in a high-level language, most likely C. The services injection has nearly 600 functions, while the explorer injection has nearly 50 functions – typical shell code has an average of 0-5 functions.

“There is professional-level coding, and the size, implemented operational security and overall characteristics of the code likely required a significant amount of time and resources to create and debug, and an advanced understanding of how to undermine security identification and mitigation tools and tactics.”

Ward commented: “ModPOS is highly modular and the modules are packed kernel drivers that use multiple methods of obfuscation and encryption.”

His firm found one ModPOS module capturing credit card track data out of memory and associating itself to a POS environment. “This indicates possible targeting of any sector that uses POS systems, including retail, food services, hospitality and healthcare.”

Commenting on ModPOS, UK-based security expert Paco Hope, a principal consultant with Cigital, said its main threat lies in its modular design, which means it could easily spread to other victims and markets.

Hope told via email: “The expression ‘rising tides raise all boats' applies well here. Just like faster CPUs run both good and bad code faster, so too modular software design and code re-use benefit attackers as much as defenders. Clearly the high level of opsec [operational security] from the attackers shows that they are learning collectively from their own mistakes and the mistakes of other fraudsters.

“The attackers have built infrastructure to efficiently customise the attacks to individual victims. The obvious conclusion is that they will spread quickly to do what they can before efficient defences are built. The intersection of markets with many vulnerable POS devices and weaker secondary controls (eg, audit, chip and pin, etc) are the markets that should worry most.”

Commenting on the POS malware threat, Mark Bower, a director at HPE Security, said: “Point-of-sale checkout systems are often the weak link in the chain and the choice of malware. They should be isolated from other networks, but often are connected.

“A checkout terminal in constant use is usually less frequently patched and updated, and is thus vulnerable to all manner of malware compromising the system to gain access to cardholder data.

“But risks of theft from POS malware is totally avoidable. Encrypting the data in the card-reading terminal ahead of the POS eliminates the exposure of live information in vulnerable POS systems. The good news is that savvy merchants are already tackling this risk and giving the malware nothing to steal. No live data means no gold to steal. Attackers don't like stealing straw.”

Along with its blog on ModPOS, ISIGHT has issued a fuller report available here (registration required):

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews