Oana Murarasu, Security Software Engineer at Ixia
Security Software Engineer at Ixia
Blog

ModPOS: The Newest And Most Complex POS Malware Framework

January 27, 2016 by Oana Murarasu


ModPOS is a new, very advanced malware framework targeting point-of-sale (POS) systems. Its name comes from the fact that it has a modular architecture, which uses packed kernel drivers that are challenging to detect. The modules that researchers have currently discovered include one for downloading additional components and uploading information, one for memory scraping and one for keylogging, the downloading/uploading one being the only one with anti-virus detections. What enhances the sophistication of this malware is its uniqueness per system (low indicator of compromise - IoC), which is also an indicator of the creators’ advanced knowledge and a factor that accounts for the small number of detections.


Each kernel driver contained by this malware is installed as a service with a naming scheme based on filenames. These drivers inject code into essential processes such as: System, csrss.exe, winlogon.exe, credit.exe, explorer.exe, services.exe, iexplore.exe, firefox.exe. The one process linking to stealing credit card data from the POS system’s memory is credit.exe, which is characteristic to POS software.

A short description of the ModPOS comprising modules follows:

  • The keylogging module injects malicious code into explorer.exe and logs the victim’s keystrokes. The gained data is stored locally in encrypted files. A unique encryption key is generated per each infected system and it is used with AES-265 algorithm.
  • The downloading/uploading module injects code into installed browsers (such as Internet Explorer and Firefox) or into svchost.exe. The communication is towards and from several IP addresses through HTTP GET/POST requests in order to download additional necessary plugins, modules (keylogger, memory scraper) or other malware from the command and control (C&C) servers or in order to transfer the collected data. Some of the used IPs have been discovered and are hardcoded to 109.72.149.42, 130.0.237.22, 91.218.39.217.
  • The POS memory scraping module injects code into POS particular processes such as credit.exe and harvests credit card data from the memory. The data is encrypted using AES-256 algorithm and kept in the Windows installer directory with “.bin” or “.dat” file extensions.

The ModPOS infection chain can be summarized into the following steps:

  1. After the user space application is executed, the downloader/uploader component is downloaded
  2. The packed kernel driver gets decrypted and installed on the victim’s machine
  3. The unpacked kernel driver starts injecting malicious code into internet browsers and performs HTTP requests
  4. The C&C servers send encrypted data with other plugins that need to get decrypted and installed
  5. The installed plugins collect and store data
  6. The collected data gets encrypted and sent to the C&C servers through HTTP POST requests
  7. Other additional components are downloaded and installed

All of the above make ModPOS one of the most complex and highly dangerous malware that was recently seen. In order to help companies protect against this kinds of threats, IXIA is providing a sample of the ModPOS malware in the Ixia January 2016 Malware Monthly Package Update.

-- Oana Murarasu, ATI Security Researcher