CyberWisdom Safe Harbor Commentary on UDPoS
Forcepoint is calling UDPoS malware differently than the usual POS tools because it uses UDP-based DNS traffic to steal credit and debit card data through firewalls and other security controls. According to the company, this is one of the few new POS malware tools.
In recent years, the United States, like many other countries, has moved away from magnetic cards based on the Europay, Mastercard, and Visa (EMV) standards for chips and PIN cards. This transition made it more difficult for criminals to use POS malware to steal payment card data, just as they did when massive theft was stolen from Target in 2013.
However, malware like UDPoS shows that criminals still have the opportunity to steal data from POS systems. For example, Trend Micro reported last year that MajikPOS, a POS malware family, was used to steal data from more than 23,300 payment cards. The retailer Forever 21, which is investigating data breaches, recently released some malware for the POS system in November last year.
The malware also uses the Command & Control server in Switzerland, which is not where malware actors are commonly used for their infrastructure.
Although malware reconciles the use of the file name and C2 URL of the LogMeIn topic and the evidence of earlier Intel thematic variations to indicate this may be the case, it is not clear whether the malware is currently being used in field activities.
Researchers contacted LogMeIn to determine if the company’s service or product was abused as part of a malware deployment process but learned that the threat actor used LogMeIn as the subject’s filename and C2 domain as a cloaking technique.
This malware retains only a small 88kb, but still has a monitor component for a multithreaded application that creates five different threads after its initialization code completes.
UDPoS malware links
“UDPoS seems to draw inspiration from several other POS malware families, so while neither one feature is completely unique, their combination seems to be a deliberate attempt to bring together the elements of success in other marketing efforts,” said Luke Somerville, Forcepoint Special Investigation. “The malware contains a hard-coded list of AV and virtualization products that detect (the common denominator for many malware) but can only find the first item in the list because of a coding error.”
Forcepoint special investigator Luke Somerville said there is no evidence that UDPoS is currently being used to steal credit or debit card data. However, Forcepoint’s testing shows that malware does indeed complete successfully.
In addition, one of the command and control servers that communicate with malware is active while Forcepoint investigates the threat. “[This] means that the author is at least ready to deploy such malware in the field,” Somerville said.
Possible targets for malware include POS systems for hotels and restaurants and any other location with a handheld device for swiping credit and debit cards.
Somerville said: “This malware targets Windows systems, which are typically variants of the Windows XP kernel, and large retailers have not recently updated their systems and may have hundreds or even thousands of vulnerabilities The machine. ”
Forcepoint discovered the malware while investigating an obvious LogMeIn service pack, which generated a large number of unusual DNS requests. The company’s analysis of the malware showed that it contacted a command and control server that also had LogMeIn’s themed identity.
Somerville said there is no evidence that LogMeIn’s remote access service or product was in any way abused as part of the malware deployment process. In contrast, the authors of UDPoS seem to use the LogMeIn brand as a disguise. He said: “The use of the names of legitimate products as the subject of documents and service names is, in fact, an attempt to limit the suspicion of the presence of these artifacts on infected computers.
Forcepoint itself does not understand the process that malware authors use or plan to deliver UDPoS on point-of-sale systems. But using the LogMeIn brand to disguise malware is not by accident. Many retailers and other organizations use LogMeIn’s software to enable remote management of their POS systems.
Given the filenames already selected, it is clear that malware authors want to sneak their malware into these systems in the name of LogMeIn software updates, Somerville said.
LogMeIn issued a warning this week warning its users not to fall into scams. “According to our investigation, the purpose of the malware is to trick a savvy user into performing a malicious e-mail, link or file that may contain the name of LogMeIn,” the company states.
UDPoS is disguised to appear like a LogMeIn service pack, Forcepoint says…. Engaging post, Read More…
thumbnail courtesy of darkreading.com
“As a distributed enterprise, retail chains and chain hotels have thousands of registered and mobile sites with hundreds and thousands of POS devices: a huge business issue for businesses and small businesses,” said Somerville. “A good firewall can detect and prevent DNS leaks, and thoughtful patches and management prevent the installation of virtual service packs.”
The researchers said users can reduce this malicious malware by looking at unusual activity patterns on the machine (in this case, DNS traffic) due to the theft of a credit card.
UDPoS malware spotted exfiltrating credit card data via DNS server
The first new point of sale (POS) malware seen in quite a while was spotted disguised as a LogMeIn service pack exfiltrating data via a DNS server. UDPoS malware spotted exfiltrating credit card data via DNS server
Inflection Flow – PoS malware
The malware named as logmeinumon.exe and once it installed it communicates with C&C server and downloads the dropper archive which contains the dropper file update.exe, LogmeinServicePack_5.115.22.001.exe and logmeinumon.exe.
Upon executing update.exe it extracts and sits in temp folder LogmeinServicePack_5.115.22.001.exe which is responsible for placing malware files is automatically triggered.
Once the malware set up is completed it passes over the execution to the monitoring component by launching logmeinumon.exe which is compiled in Visual Studio build and uses string encoding technique.
Also Read MajikPOS Dual malware targeting businesses across North America and Canada
The monitoring component is a multi-threaded application and the code is mainly code is mainly responsible for decrypting and decoding the malware’s internal strings.
Once installation completed it obtains the external IP of the infected machine by using an HTTP request. Once malware executed it generates a batch file called infobat.bat, uses a number of standard Windows commands to create a comprehensive fingerprint of the infected machine Forcepoint published a complete
PoS Malware Ultimately Designed to Steal Credit Card Details Through DNS Requests
A new unique PoS malware disguised as a LogMeIn service pack steals magnetic tape payment card data from a wide variety of companies starting from retailers to hotel groups. Security researchers from Forcepoint spotted an unusual heavy use of UDP-based DNS traffic requests generated by LogMeIn service pack leads to the discovery of UDPoS malware PoS Malware Ultimately Designed to Steal Credit Card Details Through DNS Requests
If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at https://www.safeharboroncyber.com/Blog/ to read further CyberWisdom Safe Harbor Commentaries. Home » Curated SafeHarboronCyber’s CyberWisdom Post »