New Point-of-Sale Malware Steals Credit Card Data via DNS Queries

pos-malware-dns

Cybercriminals are becoming more adept, innovative, and stealthy with each passing day. They are now adopting more clandestine techniques that come with limitless attack vectors and are harder to detect.

A new strain of malware has now been discovered that relies on a unique technique to steal payment card information from point-of-sale (PoS) systems.

Since the new POS malware relies upon User Datagram Protocol (UDP) DNS traffic for the exfiltration of credit card information, security researchers at Forcepoint Labs, who have uncovered the malware, dubbed it UDPoS.

Yes, UDPoS uses Domain Name System (DNS) queries to exfiltrate stolen data, instead of HTTP that has been used by most POS malware in the past. This malware is also thought to be first of its kind.

Besides using ‘unusual’ DNS requests to exfiltrate data, the UDPoS malware disguises itself as an update from LogMeIn—a legitimate remote desktop control service used to manage computers and other systems remotely—in an attempt to avoid detection while transferring stolen payment card data pass firewalls and other security controls.

“We recently came across a sample apparently disguised as a LogMeIn service pack which generated notable amounts of ‘unusual’ DNS requests,” Forcepoint researchers said in a blogpost published Thursday.

“Deeper investigation revealed something of a flawed gem, ultimately designed to steal magnetic stripe payment card data: a hallmark of PoS malware.”

The malware sample analyzed by the researchers links to a command and control (C&C) server hosted in Switzerland rather than the usual suspects of the United States, China, Korea, Turkey or Russia. The server hosts a dropper file, which is a self-extracting archive containing the actual malware.

It should be noted that the UDPoS malware can only target older POS systems that use LogMeIn.

Like most malware, UDPoS also actively searches for antivirus software and virtual machines and disable if find any. The researchers say it’s unclear “at present whether this is a reflection of the malware still being in a relatively early stage of development/testing.”

Although there is no evidence of the UDPoS malware currently being in use to steal credit or debit card data, the Forcepoint’s tests have shown that the malware is indeed capable of doing so successfully.

Moreover, one of the C&C servers with which the UDPoS malware sample communicates was active and responsive during the investigation of the threat, suggesting the authors were at least prepared to deploy this malware in the wild.

It should be noted that the attackers behind the malware have not been compromised the LogMeIn service itself—it’s just impersonated. LogMeIn itself published a blogpost this week, warning its customers not to fall for the scam.

“According to our investigation, the malware is intended to deceive an unsuspecting user into executing a malicious email, link or file, possibly containing the LogMeIn name,” LogMeIn noted.

“This link, file or executable isn’t provided by LogMeIn and updates for LogMeIn products, including patches, updates, etc., will always be delivered securely in-product. You’ll never be contacted by us with a request to update your software that also includes either an attachment or a link to a new version or update.”

According to Forcepoint researchers, protecting against such threat could be a tricky proposition, as “nearly all companies have firewalls and other protections in place to monitor and filter TCP- and UDP-based communications,” but DNS is still often treated differently, providing a golden opportunity for hackers to leak data.

Last year, we came across a Remote Access Trojan (RAT), dubbed DNSMessenger, that uses DNS queries to conduct malicious PowerShell commands on compromised computers, making the malware difficult to detect onto targeted systems.

Go to Source

Warning: New Undetectable DNS Hijacking Malware Targeting Apple macOS Users

macos-dns-hijacker-malware

A security researcher has revealed details of a new piece of undetectable malware targeting Apple’s Mac computers—reportedly first macOS malware of 2018.

Dubbed OSX/MaMi, an unsigned Mach-O 64-bit executable, the malware is somewhat similar to DNSChanger malware that infected millions of computers across the world in 2012.

DNSChanger malware typically changes DNS server settings on infected computers, allowing attackers to route internet traffic through malicious servers and intercept sensitive information.

First appeared on the Malwarebytes forum, a user posted a query regarding unknown malware that infected his friend’s computer that silently changed DNS settings on infected macOS to 82.163.143.135 and 82.163.142.137 addresses.

After looking at the post, ex-NSA hacker Patrick Wardle analysed the malware and found that it is indeed a ‘DNS Hijacker,‘ which also invokes security tools to install a new root certificate in an attempt to intercept encrypted communications as well.

macos-root-certificate-malware

OSX/MaMi isn’t particularly advanced – but does alter infected systems in rather nasty and persistent ways,” Patrick said.

By installing a new root certificate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle’ing traffic (perhaps to steal credentials, or inject ads)” or to insert cryptocurrency mining scripts into web pages.

Besides this, the OSX/MaMi macOS malware, which appears to be in its initial stage, also includes below-mentioned abilities, most of which are not currently activated in its version 1.1.0:

  • Take screenshots
  • Generate simulated mouse events
  • Perhaps persist as a launch item
  • Download and upload files
  • Execute commands
The motive, author(s) behind the malware, and how it is spreading are currently unknown.
However, Patrick believes that the attackers could be using lame methods like malicious emails, web-based fake security alerts/popups, or social-engineering type attacks to target Mac users.

To check if your Mac computer is infected with MaMi malware, go to the terminal via the System Preferences app and check for your DNS settings—particularly look for 82.163.143.135 and 82.163.142.137.

virustotal-dns-changer-mawlare

According to VirusTotal, a multi-engine antivirus scanner, none of 59 popular antivirus software is detecting this malware at this moment, so you are advised to use a 3rd-party tool such as a firewall that can detect and block outgoing traffic.

You can also install a free open-source firewall for macOS named ‘LuLu,’ created by Patrick and available at GitHub, which blocks suspicious traffic and prevents OSX/MaMi’s from stealing your data.

Go to Source