H5N1 novel strain of malware has similar a shot been discovered that relies on a unique technique to pocket payment bill of fare information from point-of-sale (PoS) systems.
Since the novel POS malware relies upon User Datagram Protocol (UDP) DNS traffic for the exfiltration of credit bill of fare information, safety researchers at Forcepoint Labs, who accept uncovered the malware, dubbed it UDPoS.
Yes, UDPoS uses Domain Name System (DNS) queries to exfiltrate stolen data, instead of HTTP that has been used past times nearly POS malware inward the past. This malware is likewise idea to move offset of its kind.
Besides using 'unusual' DNS requests to exfiltrate data, the UDPoS malware disguises itself equally an update from LogMeIn—a legitimate remote desktop command service used to grapple computers in addition to other systems remotely—in an induce to avoid detection piece transferring stolen payment bill of fare information transcend firewalls in addition to other safety controls.
"We latterly came across a sample obviously disguised equally a LogMeIn service pack which generated notable amounts of 'unusual' DNS requests," Forcepoint researchers said inward a blogpost published Thursday.
"Deeper investigation revealed something of a flawed gem, ultimately designed to pocket magnetic stripe payment bill of fare data: a hallmark of PoS malware."The malware sample analyzed past times the researchers links to a command in addition to command (C&C) server hosted inward Switzerland rather than the park suspects of the United States, China, Korea, Turkey or Russia. The server hosts a dropper file, which is a self-extracting archive containing the actual malware.
It should move noted that the UDPoS malware tin alone target older POS systems that role LogMeIn.
Like nearly malware, UDPoS likewise actively searches for antivirus software in addition to virtual machines in addition to disable if discovery any. The researchers country it's unclear "at introduce whether this is a reflection of the malware all the same beingness inward a relatively early on phase of development/testing."
Although in that place is no prove of the UDPoS malware currently beingness inward role to pocket credit or debit bill of fare data, the Forcepoint's tests accept shown that the malware is indeed capable of doing then successfully.
Moreover, 1 of the C&C servers amongst which the UDPoS malware sample communicates was active in addition to responsive during the investigation of the threat, suggesting the authors were at to the lowest degree prepared to deploy this malware inward the wild.
It should move noted that the attackers behind the malware accept non been compromised the LogMeIn service itself—it's simply impersonated. LogMeIn itself published a blogpost this week, warning its customers non to autumn for the scam.
"According to our investigation, the malware is intended to deceive an unsuspecting user into executing a malicious email, link or file, maybe containing the LogMeIn name," LogMeIn noted.
"This link, file or executable isn't provided past times LogMeIn in addition to updates for LogMeIn products, including patches, updates, etc., volition e'er move delivered securely in-product. You'll never move contacted past times us amongst a asking to update your software that likewise includes either an attachment or a link to a novel version or update."According to Forcepoint researchers, protecting against such threat could move a tricky proposition, equally "nearly all companies accept firewalls in addition to other protections inward house to monitor in addition to filter TCP- in addition to UDP-based communications," but DNS is all the same ofttimes treated differently, providing a golden chance for hackers to leak data.
Last year, nosotros came across a Remote Access Trojan (RAT), dubbed DNSMessenger, that uses DNS queries to comport malicious PowerShell commands on compromised computers, making the malware hard to abide by onto targeted systems.
