Most complex ever ‘silent assassin’ POS malware has stolen millions from US retailers

A new kind of Point of Sales (POS) malware, known as ModPOS, has stolen 'multiple millions' of debit and credit cards from large retailers in the US since 2013, incurring millions of dollars in damages.

Described as the most complex and sophisticated to date, the malware has only come to light after weeks of painstaking reverse-engineering work by security experts.

As iSight Partners senior director Steve Ward told The Register today, 'This is POS [point-of-sale] malware on steroids.'

'We have been examining POS malware forever, for at least the last eight years and we have never seen the level of sophistication in terms of development.'

But could the ModPOS really be as advanced as reported? And if so, how?

As Jonathan Sander, VP of Product Strategy at security firm Lieberman Software explains, ModPOS is hailed as being so advanced because it’s comprehensive and elegant.

> See also: The high price of Point of Sale attacks: and 10 ways to fight back

Much malware is like a one trick pony, says Sander- it does one thing well but falls down many other places. That makes it relatively easy for experts to detect and reverse engineer.

'ModPOS has survived in the wild for a very long time because it dedicates much of its energy to avoiding detection,' he says. 'It also has a modular design which allows it to adapt, e.g. it can spin up a special module to examine unencrypted memory to defeat poorly implemented chip and pin designs. That thorough self-protection and many faceted functionality make it very complete, but it’s the way it does this which makes it elegant.'

'ModPOS is compact and uses well-constructed code to accomplish its goals. It’s the model for the new age of professional bad guys who aren’t interested in defacing websites rather simply making money. ModPOS is the poster child for cybercrime for profit.'

What is most interesting about this malware?

“The most interesting thing about ModPOS is how quiet its creators have been. It’s a comprehensive and elegant piece of code for sure, but the fact that no one is bragging about it portrays its most dangerous aspect. ModPOS has been built to purpose by professionals with very specific, well executed vision that were disciplined enough to simply deploy it, keep quiet, and collect the money.'

The world of black hat hacking has almost always had an element of bragging, says Sander, but unusually that’s completely missing from this latest iteration.

'ModPOS is a silent, professional assassin in a world of screaming, show off marauders,' he says.

So far the silent killer has hit US retailers; but what is the likelihood attacks will spread to the UK?

'Given the difficulty in detecting the presence of ModPOS and its professionally elegant form, it could be in a huge number of places doing harm right now and we would not know,' warns Sander. 'You can view the focus of its creators in two ways. Either they were just as focused in their targeting and ModPOS is only in a few choice places to maximise its harm there, or it’s been silently slipped into every available spot to maximise the revenues until it gets outed.'

Since i is only the latest in a string of POS malware types being cited as the most sophisticated and complex in town, it's clear that criminal actors are setting their sights on long-term undetected infections, says Craig Young, security researcher at cyber threat detection firm Tripwire

> See also: Mobile malware: just a common annoyance or wolf in sheep's clothing

'The level of complexity described by iSight Partners along with the fact that this malware is not discussed on underground forums indicates to me that this is the product of a well-resourced criminal enterprise focused on executing attacks rather than being commercial malware authors,' says Young.

As such, there are some advanced attributes of the malware: such as the use of encrypted channels to relay malicious code through innocuous looking HTTP requests.

'Using network layer protections to filter unexpected HTTP requests or HTTP requests with unexpected payloads is a good starting point for retailers to identify this and other malware attempting to fetch instructions or exfiltrate data,' Young advises.

'In my opinion however the best defense against such malware is tight monitoring of file systems throughout the network but especially on devices handling payment card data.'


'While it may be difficult to block off all potential sources of infection, the use of file-integrity monitoring (FIM) makes it incredibly difficult for the attacker to go unnoticed.'

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Data Breach