Attackers have targeted retailers with a sophisticated malware framework that infects point-of-sale systems and uses high-level encryption to hide its functionality and make analysis difficult, security-consultancy iSIGHT Partners said on Nov. 24.
The malware framework, dubbed ModPOS, is very hard to detect and likely has infected multiple retailers, iSIGHT said. With its large code base and sophisticated techniques, the group behind ModPOS has a great deal of technical skill, Maria Noboa, lead technical analyst for cyber-crime with iSIGHT Partners, told eWEEK.
“We have professional level coding, (and) a really heavy emphasis on obfuscation,” she said. “When you think of all these things that it is doing, it is overkill, almost.”
iSIGHT’s announcement, however, riled others in the security community. Most significantly, Verizon’s Cyber Intelligence Center (VCIC) called the report “hyperbole.”
“The VCIC has not collected any reports of this malware in the wild,” the company stated in a blog post. “Our initial assessment of the iSight report does not support observations such as, ‘Most complex ever,’ or ‘silent assassin.’ These characterizations of ModPOS are hyperbole.”
Both Verizon and iSIGHT acknowledge that the malware had been previously detected by Symantec as Straxbot in December 2014. Yet, iSIGHT claimed that components of the malware were detected as far back as 2012 and that last year researchers confirmed that the software had targeted U.S. retailers.
iSIGHT decided to issue its public analysis so that retailers can look out for the attack in their point-of-sale systems, Noboa said. The company’s researchers have reverse engineered three plugins used by the framework: One that profiles the infected system, another that gathers information on the local network and a third that scrapes user names and easy-to-decrypt passwords.
The company called the malware the “most sophisticated point-of-sale malware we have seen to date.” The framework consists of a variety of different modules, each one acting like its own rootkit, hiding on a computer system and persisting even after a reboot. ModPOS uses a unique encryption key for each system that it infects, making it difficult to compare code from different systems, iSIGHT stated in its analysis.
Two of the company’s researchers required three weeks to just crack the coding around a single component of the malware framework, Noboa said.
“We only had a limited insight into the framework last year and we did not understand how sophisticated this was and what they were capable of doing,” she said. “Until one of our reverse engineers was finally able to break one of the keys of encrypted data and analyze a plugin to realize that the encrypted network traffic had additional binaries.”
The operation has almost entirely avoided detection by antivirus software programs. Only a single program of the 52 virus scanners on VirusTotal, apparently Symantec, detected a component of the threat, assigning it a severity rating of low, according to iSIGHT.
The malware likely infiltrates companies through targeted spear phishing campaigns that convince unwary employees to run untrusted programs.
Verizon decided not to warn clients about the potential threat because no antivirus firm has issued alerts.
“The absence of an alarm from Symantec or any other anti-malware defender for a Trojan that has been in existence for about a year and perhaps two years indicates ModPOS is not a significant or growing threat at this time,” Verizon’s intelligence group stated.
“The VCIC will continue to include this threat in our intelligence collection activities and advise Verizon Enterprise clients of significant changes in the risk environment.”
The VCIC has changed its estimate of a threat in the past. In March 2014, when security firm AlienVault warned of BrutPOS, the group initially did not issue an alert, but did four months later, when the malware became more prolific.
