Threat intelligence experts, iSIGHT Partners, say they have analyzed the most sophisticated POS malware they have seen to date – ModPOS.
ModPOS, which is short for modular point-of-sale (POS) system, is a comprehensive malware framework. The actors behind the ModPOS software have exhibited a very professional level of software development proficiency, creating a complex, highly functional and modular code base that places a very heavy emphasis on obfuscation and persistence. Thus, ModPOS can go undetected by numerous types of modern security defenses.
ModPOS is highly modular and can be configured to target specific systems with components such as uploader/downloader, keylogger, POS RAM scraper and custom plugins for credential theft and other specialized functions like network reconnaissance. iSIGHT believe other capabilities could also be leveraged. The modules are packed kernel drivers that use multiple methods of obfuscation and encryption to evade even the most sophisticated security controls.
iSIGHT know that US retailers have been targeted and believe it is very likely that criminal actors are seeking to compromise additional victims beyond those identified. They observed a small element of the ModPOS framework as far back as 2012, with known activity in late 2013 and active targeting of US retailers through 2014. Given its sophistication, it has taken malware analysis experts a substantial amount of time to reverse engineer the software.
While attribution is always a difficult proposition, we have some indication that the ModPOS malware may have ties to Eastern Europe. This belief is based on IP addresses resolving to this region in samples we reverse engineered and other factors we are not disclosing.