Image

"While the traditional retail establishments have been popular targets, the threat extends to any company that runs point-of-sale," said Tim Erlin, Director, Security and IT Risk Strategist at Tripwire, in a blog post. "Most recently, we’ve seen a spate of identified compromises at hotels, like Hyatt, Starwood and Hilton."The prospect of compromising a POS terminal is an enticing one. If done correctly, a computer criminal can make off with thousands, if not millions, of unsuspecting credit card holders' payment details. With that in mind, it is no surprise the security industry has witnessed significant innovation in POS malware over the last few years. A few samples in particular have set the bar for POS malware development. One of those is ModPOS. First detected in 2012, ModPOS is a modular POS malware platform that comes equipped with a number of loadable plugins, including a keylogger, a POS RAM scraper and other functionalities. The malicious framework is known to have targeted U.S. retailers back in 2014, though it is likely criminals used ModPOS to attack additional victims that have not yet been identified. In an effort to understand the threat ModPOS poses to organizations that run point-of-sale, not to mention the evolution of POS malware more generally, we turn to Lastline, an advanced malware protection firm which has analyzed this malicious framework. Only by understanding how ModPOS executes on victims' machines can we hope to protect organizations from sophisticated POS malware threats.
The ModPOS Infection Cycle
ModPOS initiates infection using a dropper component that contains an encrypted portable executable (PE) file. Once the PE has been decrypted, the malware selects a random driver-service that exists on the system and reuses it as its own 32-bit driver. The malicious framework then launches that driver into the Windows kernel. The driver loaded into the kernel is obfuscated with several layers of packing. To unpack the driver, the malware initiates three stages in sequence. In Stage 1, the malware loads up an unpacker containing several basic mathematical operations such as add and xor. Using a series of functions, the unpacker generates random numbers that are passed as arguments to the simple mathematical operations. But those arguments are stored on a separate stack, which means the content in this phase returns to its original form once the main unpacking loop completes. Lastline reasons malware authors developed this process to throw off human analysts.Image

"The thread injects code into a trusted user-mode process csrss.exe (windows subsystem process)," Lastline details. "To this end, it enumerates the processes running on the system using NtQuerySystemInformation (with parameter SystemProcessInformation(0x5)), checks the name of each process, and, once found, opens the target process. The code retrieves the process handle and allocates 0x1000 Bytes inside the target process using NtAllocateVirtualMemory. Then it combines two location-independent shellcode buffers embedded inside the kernel module and writes them into the target process's memory through NtWriteVirtualMemory (location 89837A07). This shellcode serves as entry point to running in user-mode."
Image
