The ModPOS malware has already hit multiple national retailers and compromised millions of cards, according to new research released this morning, but there are likely to be more infections still out there since this particular malware is extremely difficult to detect.
"The way that the malware is able to hide itself makes it extremely difficult for retailers to detect with existing capabilities," said Stephen Ward, senior director at Dallas-based cyber threat intelligence firm iSight Partners, Inc.
It took months for researchers to get a clear view of this malware and reverse engineer it, he said, and then the researchers have spent a month informing retailers about how to spot it.
Company experts are also working with the Retail Cyber Intelligence Sharing Center and will be holding two additional briefings tomorrow for more than 100 retailers, he said.
As its name suggests, ModPOS is a highly modular malware that targets point of sale systems with keylogging, RAM scraping, credential theft and network reconnaissance functions.
"What we're seeing is shell code which consists of up to 600 functions, which is astronomical," said Maria Noboa, iSight's senior threat analyst. By comparison, typical shellcode would have just a handful of functions, she said.
The ModPOS framework also involves hacked kernel drivers and that, Noboa said, is what makes this malware family very dangerous.
"They are essentially rootkits," she said. "Difficult to detect."
The one bright spot about this malware, so far at least, is that its creators are not selling it on underground forums or otherwise distributing it to the public.
"We have researchers around the world looking for any sign of people trying to share the code," she said.
So far, there haven't been any.
"This gives us an indication that the authors are holding it close to their chest because it's a profit center for them," she said. "We categorize this as author-slash-operator because we believe that the people who wrote the malware are the ones operating it."
Noboa added that it is difficult to determine who the authors are, or whether they are based.
"But there are indicators that point to Eastern Europe," she said. They include malicious domains in Russia and command and control infrastructure based in the Ukraine.
EMV is not enough
Many retailers are currently in the process of converting to EMV, which allows them to accept more secure chip-based payment cards at the point of sale terminal.
That could help companies defend against ModPOS -- but only if they do it right.
"There is a tendency to think that if you have EMV terminals set up, you're good to go," Noboa said. "But it has to be implemented correctly, with true end-to-end encryption in place, including encrypting data in memory. That's key here, because point-of-sale malware capitalizes on data in memory. If it's not encrypted, ModPOS can still grab that data in clear text."
In addition, the rest of a company's infrastructure might still be vulnerable to attackers, she added, including other databases, intellectual property, financial documents.
"The modularity allows them to use it as a Swiss Army knife," said Ward.