A new POS malware was discovered in US retailers, after the rush of Thanksgiving, and it looks like millions of US bank cards were affected.
The new POS malware is called ModPOS was found in some unnamed companies, but we know that we are talking about big retail companies, what makes the problem huge, because certainly means millions of dollars in damage.
The available information about the attackers are not a lot, but it’s known that they have been operating since 2013, and in a very professional way, never raised any suspicion, and that this malware was only discovered after weeks of painful research, and reverse-engineering by malware experts.
“This is POS [point-of-sale] malware on steroids,” “We have been examining POS malware forever, for at least the last eight years and we have never seen the level of sophistication in terms of development …[engineers say] it is the most sophisticated framework they have ever put their hands on.” Said iSight Partners senior director Steve Ward.
The malware experts took three weeks until reverse engineer one of the three kernel modules of the malware, and just to give you an idea, the same malware experts only needed 30 minutes to reverse engineer the Cheery Picker POS malware.
Steve Ward was impressed by the “incredibly talented” authors of the malware, and even refer that they did an “amazing job”, because their understanding of the security around POS was huge, “It is hard not to be impressed,” Ward said.
To give you another idea how good was this malware, the encryption used for network and C&C( command and control) data exfiltration and communication was protected with 128 and 256-bit encryption, and a new private key was needed peer customer.
Ward kept on saying that the authors of the malware must have spent a huge amount of money and time on each packed kernel driver module, which behaves like a rootkit, and it is difficult to detect and to reverse engineer.
It looks like the authors thought about this malware as an investment, designing the ModPOS to generate a large-scale, to be eventually able to get a return on their investment.
Now that the ModPOS was found and US retailers are aware of the problem, the attackers will need to change part of the base code to re-gain the obfuscation they had, but it looks like that some of these changes will be harder to implement, maybe more monetary investment will be needed again.
This is a new and very advanced malware, so we expect to keep hearing about more cases related with ModPOS and the attackers’ framework.
About the Author Elsio Pinto
(Security Affairs – ModPOS, PoS malware)