Blog

ModPOS: Highly-Sophisticated, Stealthy Malware Targeting US POS Systems with High Likelihood of Broader Campaigns

By

November 24, 2015

iSIGHT Partners

ModPOS: Highly-Sophisticated, Stealthy Malware Targeting US POS Systems with High Likelihood of Broader Campaigns

Today, iSIGHT Partners is sharing details about a highly sophisticated criminal malware framework that has been used to target point-of-sale (POS) systems at US-based retailers. We believe this very hard to detect malware is likely being used in broader campaigns and are disclosing details to help retailers and other organizations with POS and other payment processing systems hunt for and eradicate the malware.

iSIGHT Partners has already briefed numerous retailers and other organizations that are involved with payment systems, and our experts are also actively working with the Retail Cyber Intelligence Sharing Center (R-CISC) to help its members detect and stop this virulent malware.

You will find a summary of ModPOS below, or download the full Intelligence Report with Indicators here.

We are hosting two webinars to review details and answer questions about ModPOS.

For any media related inquires on ModPOS, please contact Stephen Ward, sward@isightpartners.com.

 

Here is what you need to know…

WHAT IS THE NEWS?

The threat intelligence experts at iSIGHT Partners have analyzed the most sophisticated point-of-sale (POS) malware we have seen to date. ModPOS, which is short for modular point-of-sale (POS) system, is a comprehensive malware framework. The actors behind the ModPOS software have exhibited a very professional level of software development proficiency, creating a complex, highly functional and modular code base that places a very heavy emphasis on obfuscation and persistence. Thus, ModPOS can go undetected by numerous types of modern security defenses.

ModPOS is highly modular and can be configured to target specific systems with components such as uploader/downloader, keylogger, POS RAM scraper and custom plugins for credential theft and other specialized functions like network reconnaissance. We believe other capabilities could also be leveraged. The modules are packed kernel drivers that use multiple methods of obfuscation and encryption to evade even the most sophisticated security controls.

We know that US retailers have been targeted and believe it is very likely that criminal actors are seeking to compromise additional victims beyond those identified. We observed a small element of the ModPOS framework as far back as 2012, with known activity in late 2013 and active targeting of US retailers through 2014. Given its sophistication, it has taken our malware analysis ninjas a substantial amount of time to reverse engineer the software.

iSIGHT-Partners-ModPOS-timeline-20nov2015

While attribution is always a difficult proposition, we have some indication that the ModPOS malware may have ties to Eastern Europe. This belief is based on IP addresses resolving to this region in samples we reverse engineered and other factors we are not disclosing.

In a nutshell, this is not your daddy’s run-of-the-mill cyber crime malware.

WE USE EMV/CHIP-and-PIN TECHNOLOGY SO WE’RE COVERED. RIGHT?

The use of EMV technology itself does not ensure that POS systems and card data are fully protected in all circumstances. EMV was designed to make it very difficult for malicious actors to manufacture perfect clones using stolen card data and is a key element in protecting the card system in toto. However, if the system configuration does not support end-to-end encryption, including encrypting data in memory, then ModPOS and other malware with RAM scraping techniques can still gain access to card data. Criminals can then reuse card data, even from EMV cards, to make online (card-not-present) transactions.

WHY ARE YOU MAKING THIS AVAILABLE TO THE PUBLIC?

We are making the ModPOS details and technical indicators publicly available in an effort to protect future victims and provide retailers and other POS and payment system operators the information they need to hunt for the ModPOS malware in their environments.

WHO IS ISIGHT PARTNERS?

Dallas-based iSIGHT Partners is a global cyber intelligence firm that delivers cyber threat intelligence and insight to leading enterprises in business and government. With 300+ experts in 18 countries and expertise in 29 languages, only iSIGHT Partners can deliver the full context and intent of our clients’ most dangerous cyber adversaries, allowing security organizations to respond faster, defend proactively and invest smarter. With iSIGHT Partners, enterprises can deploy their defenses more efficiently and effectively, and internal security professionals can more accurately quantify the return on security investments for senior management.

iSIGHT Partners Contact Info:

Media Inquiries:  iSIGHT Partners, Stephen Ward, sward@isightpartners.com

Twitter:  @iSIGHT_Partners

LinkedIn:  iSIGHT Partners