ModPOS retail malware is not the work of script-kiddies
Tue 24 Nov 2015
Security researchers at iSight have identified a new platform for malware out in the wild, representing an unusually high effort in a sphere dominated by cut-n-paste and minor modifications to existing malware variants.
The company reports that the framework, entitled ModPOS, is an active threat to U.S. retailers in the imminent high-volume buying season, and that the malware platform is amongst the most sophisticated and high-effort outings for POS cybercriminals to date.
The company saw evidence of ModPOS as far back as 2012, but spent another three years in studying it whilst warning individual retailers which seemed to have been affected. The platform is thought to be written in a high-level programming language, likely C, and has a modular construction and the capacity to utilise plugins.
‘ModPOS is highly modular and can be configured to target specific systems with components such as uploader/downloader, keylogger, POS RAM scraper and custom plugins for credential theft and other specialized functions like network reconnaissance. We believe other capabilities could also be leveraged. The modules are packed kernel drivers that use multiple methods of obfuscation and encryption to evade even the most sophisticated security controls.’
The researchers believe tentatively that the software originated in Eastern Europe, having come across related IP addresses whilst reverse-engineering ModPOS. Interestingly the report notes that without the same kind of end-to-end encryption about which governments have been complaining so much in the light of the attacks on Paris, even EMV/Chip-and-pin are unlikely to protect affected systems. In such cases, the report says ‘ModPOS and other malware with RAM scraping techniques can still gain access to card data. Criminals can then reuse card data, even from EMV cards, to make online (card-not-present) transactions.’
It’s the level of professionalism in the code that distinguishes ModPOS. ‘From a coding perspective,’ iSight says ‘these samples are much more complex than average malware; there is professional-level coding,and the size, implemented operational security and overall characteristics of the code likely required a significant amount of time and resources to create and debug and an advanced understanding of how to undermine security identification and mitigation tools and tactics.’
Though too templated in nature to provide a firm clue, the researchers did find evidence of local file paths remaining in the compiled binary, which point to local URLs such as c:\MyProjects\newplugs\lsass\release\lsass.pdb.