December 10, 2015
According to a new research by iSight Partners, a sophisticated ModPOS malware has hit multiple national retailers and compromised millions of payment cards. The highlight of this particular malware is that it is extremely difficult to detect.
"The way that the malware is able to hide itself makes it extremely difficult for retailers to detect it with existing capabilities. It took months for researchers to get a clear view of this malware and reverse engineer it, and then the researchers have spent a month informing retailers about how to spot it," said Stephen Ward, senior director at Dallas-based cyber threat intelligence firm iSight Partners, Inc.
ModPOS is a highly modular malware that targets point of sale systems with keylogging, RAM scraping, credential theft and network reconnaissance functions.
"What we're seeing is shell code which consists of up to 600 functions, which is astronomical," said Maria Noboa, iSight's senior threat analyst. By comparison, typical shellcode would have just a handful of functions, she said. The ModPOS framework also involves hacked kernel drivers and that, Noboa said, is what makes this malware family very dangerous. "They are essentially rootkits, difficult to detect." she said.
The only positive thing about the malware is that its creators are not selling it on underground forums or otherwise distributing it to the public. "We have researchers around the world looking for any sign of people trying to share the code," she said. So far, there haven't been any. "This gives us an indication that the authors are holding it close to their chest because it's a profit center for them," she said. "We categorize this as author-slash-operator because we believe that the people who wrote the malware are the ones operating it." She added that it was difficult to determine who the authors are, or whether they are based.
"But there are indicators that point to Eastern Europe," she said. They include malicious domains in Russia and command and control infrastructure based in the Ukraine.
Many retailers are currently in the process of switching to EMV, which allows them to accept more secure chip-based payment cards at the point of sale terminal. "There is a tendency to think that if you have EMV terminals set up, you're good to go," Noboa said. "But it has to be implemented correctly, with true end-to-end encryption in place, including encrypting data in memory. That's key here, because point-of-sale malware capitalizes on data in memory. If it's not encrypted, ModPOS can still grab that data in clear text."