Security experts have identified a new malware ModPOS (Modular POS) that targets retail payment systems. This malware has modules for “scraping” payment-card numbers from the RAM memory of point-of-sale systems. It only takes a split second for this process to take card numbers even if the system doesn’t store card data. It also logs keystrokes of computer users and transmits stolen data. This malware is currently not being detected by most anti-malware software. It is recommended to use more than one anti-virus and anti-malware software.
The malware uses modules that are packed kernel drivers, which makes them more difficult to detect by security products. The modules identified so far include one for logging keystrokes, one for uploading stolen data and downloading additional components, and one for collecting card data.
ModPOS also uses several plugins to complete various tasks, such as collecting system and network information, and harvesting usernames and passwords for local and domain accounts. Each of the modules is installed as a service and they inject malicious code into various processes to perform their intended tasks.
The keylogger module is designed to inject malicious code into the “explorer.exe” process in order to capture the victim’s keystrokes. The collected data is stored locally in a file encrypted using AES-256 with a unique encryption key generated on the system.
The uploader/downloader module is used to transfer harvested data from the infected system, and download plugins and modules from the command and control (C&C) server.
The “POS Scraper” module is designed to collect payment card track data from the POS software. Researchers believe the attackers target specific POS software processes, such as “credit.exe.”
In addition, in the same family as ModPOS there is a malware that has a codename “Kuhook”. This malware is a sophisticated set of kernel mode device drivers written for the Windows XP platform and is compressed to make the source code and data unreadable.
This malware was detected and reported by iSIGHT Partners and more technical details are available at http://info.isightpartners.