Most Advanced PoS Malware Ever

By   ISBuzz Team
Writer , Information Security Buzz | Nov 24, 2015 06:30 pm PST

The ModPOS malware has pilfered “multiple millions” of debit and credit cards from the unnamed but large retail companies incurring millions of dollars in damages. The attackers have operated in a low-key, ultra professional manner since late 2013 and has only come to light after weeks of painstaking reverse-engineering efforts by malware experts. They have kept mum, too. Cybercrime forums are entirely devoid of references to the malware. “This is POS [point-of-sale] malware on steroids,” iSight Partners senior director Steve Ward says. “We have been examining POS malware forever, for at least the last eight years and we have never seen the level of sophistication in terms of development …[engineers say] it is the most sophisticated framework they have ever put their hands on.” Security experts from ESET, Tripwire, Lieberman Software and Alert Logic have the following comments on it.

[su_note note_color=”#ffffcc” text_color=”#00000″]Mark James, Security Specialist at IT Security Firm ESET :

How advanced actually is this?

“This particular malware is very advanced in relation to the normal level of malware we see. Malware by its very definition wants to stay hidden for as long as possible but ModPOS does this very well, it’s made up of complex modules that each have a specific purpose including finding and stealing credit card information. Quite often POS systems can be the weakest link as they need to be available 24/7 and that can affect the ability to get them patched or updated.”

What is most interesting about this malware?

“Firstly the level of coding involved in this malware is quite unique, one of its highest priorities is not being detected and it uses multiple factors to achieve this. Having each of the modules consisting of packed kernel drivers installed as a service helps to make it very hard to detect. This malware has clearly been designed to sit and monitor for specific information and once found it will encrypt that information then send it off to a command and control server.”

How widespread is this?

“It certainly could be and may already be in the UK and Europe. Malware by design needs to attack as many systems as possible to be effective and the effort used in creating this malware would suggest its intention for long term use. Variants may already be available for distribution or even already in use. Ensuring your POS systems are patched and updated to the latest versions is an absolute must. Make sure you segregate your systems to keep sensitive data in its rightful place and limit its exposure to people or systems that don’t need to see it. Regular network and data monitoring will need to be in place to combat this type of malware and stop it before it causes any damage.”[/su_note]

[su_note note_color=”#ffffcc” text_color=”#00000″]Craig Young, Security Researcher at Tripwire :

“With yet another POS malware family being cited as the most sophisticated and complex in town, it is clear that criminal actors are setting their sights on long-term undetected infections. The level of complexity described by iSight Partners along with the fact that this malware is not discussed on underground forums indicates to me that this is the product of a well-resourced criminal enterprise focused on executing attacks rather than being commercial malware authors.

There are some advanced attributes of the malware such as the use of encrypted channels to relay malicious code through innocuous looking HTTP requests.  The report describes that this process would allow the requests to go unnoticed by security products but it is in fact incredibly easy for something like an intrusion-prevention system (IPS) or anomaly detection system (ADS)  to recognize and block these responses as suspicious.  It is also worth noting that there is no mention of the malware acting in any way that would prevent discovery by file integrity monitory (FIM) products such as Tripwire Enterprise. Although it is apparent that the authors invested a lot of resources into developing this attack toolkit it still seems to me as if they are preying upon victims with poor security posture.

Now that the command and control techniques and other indicators of compromise have been publicly revealed, the specific malware analyzed by iSight Partners can be trivially detected within a network. In response, the operators will likely change certain operational details to avoid detection but it is unlikely that will completely change methodology. Using network layer protections to filter unexpected HTTP requests or HTTP requests with unexpected payloads is a good starting point for retailers to identify this and other malware attempting to fetch instructions or exfiltrate data. In my opinion however the best defense against such malware is tight monitoring of file systems throughout the network but especially on devices handling payment card data. While it may be difficult to block off all potential sources of infection, the use of file-integrity monitoring (FIM) makes it incredibly difficult for the attacker to go unnoticed.”[/su_note]

[su_note note_color=”#ffffcc” text_color=”#00000″]Paul Fletcher, Cyber Security Evangelist at Alert Logic :

“ModPOS, and most POS malwares, have increased in sophistication.  In September and October of 2015, there were several discussions within hacker forums to share information about current POS code and requests for assistance to add more functionality and test the results. The hacker community has been very active sharing information, conducting test, tweaking code and re-testing since the summer months…all preparing for the Holiday shopping season.

In my opinion, the main points of interest about the increased sophistication of POS malware are the use of encryption and the “anti-forensics” (aka obfuscation or anti-analysis) concepts.

The use of encryption by the attacker has been a long time coming, and it’s interesting to me because one of the best practices for security professionals is to use encryption where possible. While some organisations have been slow to adopt the use of encryption,  the hacker community embraces this concept and it gives them an edge. This point shows that tools and technology are generally the same being used by attackers and security professionals, giving more proof that security technology solutions alone aren’t enough, people and process built around those security technology solutions are essential.

The anti-forensics component of sophisticated malware is an indication that the hacking community has done extensive reconnaissance on multiple POS systems, as well as the support systems (back-end) within the retailers infrastructure. The information gathered about POS systems are freely share among the hacker community, which allows for a large “alpha” and “beta” test community to ensure the code is functional. While the technology of clearing log files, manipulating time stamps of file systems and hiding network connections is a technical skill, the time and effort to get this right involves a lot of human communication and interaction. This type of information sharing and communication by attackers emulates the type of information sharing and communication needed by security professionals.

The likelihood of these types of attacks spreading to the UK are high, however the version of code and “go by” name of the POS malware may vary.

Organisations should :

  • Conduct frequent assessments of their systems
  • Have a robust log management system (including active review of logs)
  • Use 24/7 security monitoring and alerting
  • Use network segmentation to isolate POS and support systems
  • Conduct a Cyber Incident Response exercise
  • Minimise, review and log the access level of accounts
  • Create and maintain a baseline of account usage, network flow (including clear text and encrypted traffic)
  • Stay informed of the latest vulnerabilities through multiple sources (forums, social media, RSS feeds, email notification lists etc.)
  • Conduct a threat hunt within their infrastructure to identify compromised systems”[/su_note]

[su_note note_color=”#ffffcc” text_color=”#00000″]Jonathan Sander, VP of Product Strategy at Lieberman Software :

ModPOS really as advanced as reported? And if so, how?

“ModPOS is hailed as being so advanced because it’s comprehensive and elegant. Much malware is like a one trick pony. It does one thing well but falls down many other places. That makes it relatively easy for experts to detect and reverse engineer. ModPOS has survived in the wild for a very long time because it dedicates much of its energy to avoiding detection. It also has a modular design which allows it to adapt, e.g. it can spin up a special module to examine unencrypted memory to defeat poorly implemented chip and pin designs. That thorough self-protection and many faceted functionality make it very complete, but it’s the way it does this which makes it elegant. ModPOS is compact and uses well-constructed code to accomplish its goals. It’s the model for the new age of professional bad guys who aren’t interested in defacing websites rather simply making money. ModPOS is the poster child for cybercrime for profit.”

What is most interesting about this malware?

“The most interesting thing about ModPOS is how quiet its creators have been. It’s a comprehensive and elegant piece of code for sure, but the fact that no one is bragging about it portrays its most dangerous aspect. ModPOS has been built to purpose by professionals with very specific, well executed vision that were disciplined enough to simply deploy it, keep quiet, and collect the money. The world of black hat hacking has almost always had an element of bragging, and that’s completely missing from this. ModPOS is a silent, professional assassin in a world of screaming, show off marauders.”

It’s been used to attack US retailers; what is the likelihood attacks will spread to the UK; what should retailers and other likely targets do?

“Given the difficulty in detecting the presence of ModPOS and its professionally elegant form, it could be in a huge number of places doing harm right now and we would not know. You can view the focus of its creators in two ways. Either they were just as focused in their targeting and ModPOS is only in a few choice places to maximize its harm there, or it’s been silently slipped into every available spot to maximize the revenues until it gets outed.”[/su_note]

Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x