UDPOS PoS malware exfiltrates credit card data DNS queries

on February 12, 2018 |

A new PoS malware dubbed UDPoS appeared in the threat landscape and implements a novel and hard to detect technique to steal credit card data from infected systems.

The UDPoS malware was spotted by researchers from ForcePoint Labs, it relies upon User Datagram Protocol (UDP) DNS traffic for data exfiltration instead of HTTP that is the protocol used by most POS malware.

The UDPoS malware is the first PoS malicious code that implements this technique disguises itself as an update from LogMeIn, which is a legitimate remote desktop control application.

“According to our investigation, the malware is intended to deceive an unsuspecting user into executing a malicious email, link or file, possibly containing the LogMeIn name,” reads a blogpost published by LogMeIn noted.

“This link, file or executable isn’t provided by LogMeIn and updates for LogMeIn products, including patches, updates, etc., will always be delivered securely in-product. You’ll never be contacted by us with a request to update your software that also includes either an attachment or a link to a new version or update.”

The UDPoS malware only targets older POS systems that use LogMeIn.

“However, in amongst the digital haystack there exists the occasional needle: we recently came across a sample apparently disguised as a LogMeIn service pack which generated notable amounts of ‘unusual’ DNS requests. Deeper investigation revealed something of a flawed gem, ultimately designed to steal magnetic stripe payment card data: a hallmark of PoS malware.” reads the analysis published by ForcePoint.

The command and control (C&C) server are hosted by a Swiss-based VPS provider, another unusual choice for such kind of malware.

The server hosts a 7-Zip self-extracting archive, update.exe, containing LogmeinServicePack_5.115.22.001.exe and log that is the actual malware.

The malicious code implements a number of evasion techniques, it searches for antivirus software disables them, it also checks if it is running in a virtualized environment.

“For the anti-AV and anti-VM solution, there are four DLL and three Named Pipe identifiers stored in both service and monitor components:

However, only the monitor component makes use of these and, moreover, the code responsible for opening module handles is flawed: it will only try to open cmdvrt32.dll – a library related to Comodo security products – and nothing else.” continues the analysis.

“It is unclear at present whether this is a reflection of the malware still being in a relatively early stage of development/testing or a straightforward error on the part of the developers.”

It must be highlighted that currently there is no evidence of the UDPoS malware currently being used in attacks in the wild, but the activity of the C&C servers suggests crooks were preparing the attacks.

In the past other malware adopted the DNS traffic to exfiltrate data, one of them is the DNSMessenger RAT spotted by Talos experts in 2017. The researchers from Cisco Talos team spotted the malware that leverages PowerShell scripts to fetch commands from DNS TXT records.

Further info about the UDPoS malware, including IoCs, are available in the blog post.

Pierluigi Paganini

Show Buttons
Hide Buttons