The first new point of sale (POS) malware seen in quite a while was spotted disguised as a LogMeIn service pack exfiltrating data via a DNS server.
Forcepoint researchers discovered the malware and said it appears to be a new family of malware dubbed ‘UDPoS’ due to its heavy use of UDP-based DNS traffic, according to a Feb. 8 blog post. The malware’s most distinguishing feature is its use of DNS requests for data exfiltration which researchers described as an unusual technique albeit one that has been seen in other POS malware.
The malware also uses a Command & Control server located in Switzerland which is not a location malicious actors typically use for their infrastructure.
It is unclear whether or not the malware is currently being used in campaigns in the wild although the malware’s coordinated use of LogMeIn-themed filenames and C2 URLs coupled with evidence of an earlier Intel-themed variant suggest that may be the case.
Researchers contacted LogMeIn to determine if the firm’s services or products were abused as part of the malware deployment process but learned the threat actors were using LogMeIn-themed filenames and C2 domain as a camouflage technique.
The malware maintains a small footprint of only 88kb yet still features a monitor component that is a multi-threaded application which creates five different threads after its initialisation code is completed.
“UDPoS appears to have drawn inspiration from several other POS malware families, so while none of the individual features are entirely unique the combination of them appears to be a deliberate attempt to draw together successful elements of other campaigns,” said Luke Somerville, Head of Special Investigations at Forcepoint. “The malware contains a hard-coded list of AV and virtualization products to detect (a common feature of many strains of malware) but owing to a coding error only appears to look for the first item in this list.”
Somerville said it’s unclear whether this is a reflection of the malware still being in a relatively early stages or a just a developer’s error. Researchers can’t confirm who is behind the malware but is working to build awareness of the exploit to help protect others. Likely targets include POS terminals in in large chains such as retailers, hotels, and restaurants.
“As distributed enterprises, retail and hotel chains have hundreds and thousands of sites with POS devices at the register and mobile: this is a big business problem for enterprises as well as small businesses,” Somerville said. “A good firewall would detect and prevent the DNS exfiltration, and thoughtful patching and administration practices would stop the fake service pack being installed.”
Researchers said users can cut back on malicious malware like this by watching for the unusual patterns of activity on the machines (DNS traffic in this case) that result from exfiltrating stolen credit card.