“The way that the malware is able to hide itself makes it extremely difficult for retailers to detect with existing capabilities,” said Stephen Ward, senior director at Dallas-based cyber threat intelligence firm iSight Partners, Inc.
It took months for researchers to get a clear view of this malware and reverse engineer it, he said, and then the researchers have spent a month informing retailers about how to spot it.
This POS malware is sophisticated with a VERY extensive toolkit:
As its name suggests, ModPOS is a highly modular malware that targets point of sale systems with keylogging, RAM scraping, credential theft and network reconnaissance functions.
“What we’re seeing is shell code which consists of up to 600 functions, which is astronomical,” said Maria Noboa, iSight’s senior threat analyst. By comparison, typical shellcode would have just a handful of functions, she said.
ModPOS malware is basically a rootkit:
The ModPOS framework also involves hacked kernel drivers and that, Noboa said, is what makes this malware family very dangerous.
“They are essentially rootkits,” she said. “Difficult to detect.”
It isn’t all bad news though:
The one bright spot about this malware, so far at least, is that its creators are not selling it on underground forums or otherwise distributing it to the public.
“We have researchers around the world looking for any sign of people trying to share the code,” she said.
So far, there haven’t been any.
“This gives us an indication that the authors are holding it close to their chest because it’s a profit center for them,” she said. “We categorize this as author-slash-operator because we believe that the people who wrote the malware are the ones operating it.”
Isn’t EMV the answer? Maybe – maybe not…
EMV is not enough
Many retailers are currently in the process of converting to EMV, which allows them to accept more secure chip-based payment cards at the point of sale terminal.
That could help companies defend against ModPOS — but only if they do it right.
“There is a tendency to think that if you have EMV terminals set up, you’re good to go,” Noboa said. “But it has to be implemented correctly, with true end-to-end encryption in place, including encrypting data in memory. That’s key here, because point-of-sale malware capitalizes on data in memory. If it’s not encrypted, ModPOS can still grab that data in clear text.”
In addition, the rest of a company’s infrastructure might still be vulnerable to attackers, she added, including other databases, intellectual property, financial documents.
“The modularity allows them to use it as a Swiss Army knife,” said Ward.