Influenza A virus subtype H5N1 novel strain of malware has similar a shot been discovered that relies on a unique technique to pocket payment carte du jour information from point-of-sale (PoS) systems.
Since the novel POS malware relies upon User Datagram Protocol (UDP) DNS traffic for the exfiltration of credit carte du jour information, safety researchers at Forcepoint Labs, who convey uncovered the malware, dubbed it UDPoS.
Yes, UDPoS uses Domain Name System (DNS) queries to exfiltrate stolen data, instead of HTTP that has been used past times nearly POS malware inward the past. This malware is too idea to hold upwards commencement of its kind.
Besides using 'unusual' DNS requests to exfiltrate data, the UDPoS malware disguises itself every bit an update from LogMeIn—a legitimate remote desktop command service used to larn by computers in addition to other systems remotely—in an endeavour to avoid detection patch transferring stolen payment carte du jour information travel past times firewalls in addition to other safety controls.
"We late came across a sample evidently disguised every bit a LogMeIn service pack which generated notable amounts of 'unusual' DNS requests," Forcepoint researchers said inward a blogpost published Thursday.
"Deeper investigation revealed something of a flawed gem, ultimately designed to pocket magnetic stripe payment carte du jour data: a hallmark of PoS malware."The malware sample analyzed past times the researchers links to a command in addition to command (C&C) server hosted inward Switzerland rather than the commons suspects of the United States, China, Korea, Turkey or Russia. The server hosts a dropper file, which is a self-extracting archive containing the actual malware.
It should hold upwards noted that the UDPoS malware tin alone target older POS systems that operate LogMeIn.
Like nearly malware, UDPoS too actively searches for antivirus software in addition to virtual machines in addition to disable if uncovering any. The researchers tell it's unclear "at introduce whether this is a reflection of the malware withal beingness inward a relatively early on phase of development/testing."
Although at that topographic point is no bear witness of the UDPoS malware currently beingness inward operate to pocket credit or debit carte du jour data, the Forcepoint's tests convey shown that the malware is indeed capable of doing in addition to thence successfully.
Moreover, ane of the C&C servers alongside which the UDPoS malware sample communicates was active in addition to responsive during the investigation of the threat, suggesting the authors were at to the lowest degree prepared to deploy this malware inward the wild.
It should hold upwards noted that the attackers behind the malware convey non been compromised the LogMeIn service itself—it's merely impersonated. LogMeIn itself published a blogpost this week, warning its customers non to autumn for the scam.
"According to our investigation, the malware is intended to deceive an unsuspecting user into executing a malicious email, link or file, maybe containing the LogMeIn name," LogMeIn noted.
"This link, file or executable isn't provided past times LogMeIn in addition to updates for LogMeIn products, including patches, updates, etc., volition ever hold upwards delivered securely in-product. You'll never hold upwards contacted past times us alongside a asking to update your software that too includes either an attachment or a link to a novel version or update."According to Forcepoint researchers, protecting against such threat could hold upwards a tricky proposition, every bit "nearly all companies convey firewalls in addition to other protections inward house to monitor in addition to filter TCP- in addition to UDP-based communications," but DNS is withal oft treated differently, providing a golden chance for hackers to leak data.
Last year, nosotros came across a Remote Access Trojan (RAT), dubbed DNSMessenger, that uses DNS queries to deport malicious PowerShell commands on compromised computers, making the malware hard to uncovering onto targeted systems.
