Point of Sale (POS) systems have been under constant attack over the past few years with hackers claiming the scalps of retailers, hoteliers, restaurants and many other retail outlets.
Security vendor iSight Partners has now revealed a piece of malware called ModPOS that they are calling the most sophisticated piece of malware they have ever seen. This is no idle statement as iSight Partners have demonstrated in a small number of briefings to security journalists over the last few days.
The details of ModPOS are available in a document which can be downloaded from the iSight Partners website (no longer available). Completing the form, however, doesn’t guarantee that iSight will send the report to you. In the past they have discovered that it is not just security professionals looking for details of malware who were interested in their report.
Instead they have outed a number of people who they term bad actors, many of them from countries involved in state sponsored cyber attacks who have tried to get access to their reports. For this reason, those wanting the deep technical details will have to wait for some vetting to take place before they are sent a copy.
What is ModPOS
ModPOS is a highly modular advanced piece of malware targeting point of sale systems hence the name ModPOS. It is believed to have originated in Eastern Europe and there is confirmed evidence that it was used in a number of breaches as far back as 2013. The creators of ModPOS have been careful to strictly control access to the exploit framework and the attacks it has been involved in have been kept limited to prevent security experts getting a good look at it.
According to Stephen Ward, Senior Director, iSight Partners: “We got our hands in it in late 2014. At the time we knew it was sophisticated but didn’t have a full view on its capabilities or a complete copy. This year we have tasked a number of researchers to find evidence of it in the underground and get it to us. The problem was that there was no chatter around this on the dark net and nobody was able to point to where it could be purchased.
“Eventually we did get some additional samples from other sources which allowed us to do a more detailed examination of it. In all it took three weeks to reverse engineer and examine the malware. To put this into perspective, the Cherry Picker POS malware took just 30 minutes to reverse engineer. This should give a good indication of how well written ModPOS is.”
What is worrying Ward and iSight Partners is that there is no deterrent yet available for ModPOS. Ward told us: “This means that there is a very high likelihood that there are active compromises out there that people are not aware of. We expect this to change shortly and for there to be a number of disclosures made.”
Why is it so hard to track down?
iSight believes that the creators of ModPOS are a highly sophisticated cyber crime gang that is not interested in monetising ModPOS through widespread exposure. Instead they are working with a small group of associates to use the software to selectively attack their targets. iSight Partners are not prepared to share names or details of anyone that they may have identified in connection with ModPOS in case it compromises their work.
John Miller, Director of ThreatScape Cyber Crime at iSight Partners told us: “Based on our analysis the user base model or scenario would be somewhere on a spectrum from single operation in-house to a very tightly knit group bound by business relationships. It is even possible that the actors might not see themselves as part of the same unit but are linked nonetheless.”
This closed shop approach is extremely effective and one that the wider security industry recognises as it is used by intelligence agencies and even terror organisations. The smaller the group of people the less risk of leaks and compromising the entire organisation.
With such little information being available we were interested as to whether elements of ModPOS were being recycled or used in any Advanced Persistent Threat (APT). Miller responded: “As far as we know we have not been able to tie any evidence of ModPOS to any APT campaigns that we have detected. We would not always expect to see that. It can be extremely difficult to tie people to multiples roles such as reconnaissance, espionage or malware production.”