Company iSight Partners published a study of a new type of Trojan, designed to steal data from payment systems. They are called ModPOS, as they were aimed at working with the terminals of major retailers. For a long time they could not be detected by any Antivirus and their activity is most clearly manifested during the sales.
Research has shown that the first case of infection ModPOS occurred back in 2012. Its individual components came into the view of virus analysts in 2013. Then they did not attract much attention, because the dissolved in the general flow. Each month, the anti-virus network of leading companies collect hundreds of thousands to tens of millions of malware samples, most of which are processed automatically. Sophisticated methods of obfuscation and anti-debugging code in ModPOS made it difficult to study it in a virtual machine. Virus analysts needed to perform many manual steps to restore the source code, and a detailed study.
“Typically, reverse-engineering malware takes on the force for about twenty minutes. In the case of ModPOS it took us about three weeks, only to have to confirm the deleterious nature. More much time we restored the structure and tried to understand the mechanisms work. This is the most complex threat that we have ever encountered, “- Explained senior analyst iSight Maria Noboa.
Authors ModPOS showed a very high level of competence in the development of malicious software. Only one piece of shellcode contained over six functions. They have created a very functional modular trojan with a special focus on its code obfuscation, sweeping tracks, work, concealment of the current activity and guaranteed recovery in case of removal of the individual components.
“Actually it is not a separate Trojan, but a framework – a complex platform, consisting of a set of modules and plug-ins. Together they collect detailed information about the target company, including all payment information directly from the sales systems and personal credentials leaders “, – Commented Noboa.
ModPOS significantly expands the techniques of data theft from bank cards, which have traditionally been used skimmers and Shimmer. Trojan ModPOS reconfiguration taking into account the specific features of infecting. Because of this hash modules Trojan all the time are different, as well as automatically generated signatures. For at least three years, he was able to deceive not only the signature scanners, but also heuristic analyzers, as well as behavioral analysis tools, since it worked at the lowest level.
Acting as a kernel-level rootkit, it injects its own drivers, which intercept system functions and use encryption to make it difficult to analyze the code and hide their real actions. Among the modules have ModPOS keylogger sniffer and boot new components.
Analysts iSight is emphasized that the use of EMV (international standard of operations for bank cards with chip) itself does not protect against ModPOS. Trojan has the function of directly copying data from the memory of ATMs and payment terminals. It can even simulate the transaction after the card is removed. Immunity to ModPOS has only payment systems, which is set up through the encryption of the terminal to the center.
The situation is complicated by the fact that in many places the old established terminals operating in compatibility mode. They ignore the chip and simply read data from the magnetic strip, as it did before the introduction of EMV.
Code Analysis suggests that ModPOS intended primarily for the infection of payment systems of US retailers. Also in the code were found teams interact with network nodes whose IP-addresses belong to Eastern Europe.
iSight Partners have informed the organization that can use prototype payment systems. The company’s experts are actively working with the center to counter the threats R-CISC, to help rapidly detect and remove malware.