Trickbot’s latest trick involves the addition of a point-of-sale (POS) malware making the already modular banking trojan more dangerous.

The new modules scan for indicators if the infected devices is connected to a network that supports POS services and machines although researchers haven’t fully grasped the capabilities or intentions of the these actions, according to a Nov. 21 blog post.

“We’re currently investigating how the malware authors could leverage this information, given that they have successfully infiltrated the network with POS-related services installed but stop short of getting specific data such as credit card, ATM or other banking-related information,” researchers said in the post. “It’s possible that the cyber actors are gathering information at this stage in preparation for future intrusions.”

Researchers expect the malware’s developers to use the malware’s modular abilities to add more credential stealing features and features which make the trojan more difficult to detect and defend against.In order to defend from the bot, researchers recommend users implement endpoint application control which reduces attack and infiltration exposure by ensuring only files, documents and updates associated with whitelisted applications and sites can be installed, downloaded, and viewed, the blog said.