TACTICAL CYBER INTELLIGENCE REPORT
Actor Type: II
Serial: TR-18-054-002
Countries: IN, CN
Report Date: 20180213
UDPoS – Stealing Credit Card data via DNS Queries
A new strain of point-of-sale (PoS) malware has been discovered by security researchers that disguises itself as a LogMeIn service pack and steals credit card payment information through DNS queries. Since the malware relies on UDP DNS traffic for extraction of data, it was named “UDPoS” by researchers who discovered it. The malware disguises itself as an update from LogMeIn[1] which is a legitimate remote desktop control service used to manage computers and other systems remotely.
Impact
The malware successfully exfiltrates credit card data by bypassing firewalls and other security solutions. The malware file is named logmeinmon.exe and contacts a command and control server in Switzerland[2].
service.logmein.network | 185.73.240.207 |
The server also contains other files including update.exe and LogmeinServicePack_5.115.22.001.exe.
The suspicious LogMeIn service pack sets up the malware by placing files into a LogMeInUpdService directory and creating a new system service to establish persistence before running a monitoring component. Upon execution, the malware uses multiple standard Windows commands to harvest data from the infected machine, including payment card data, and sends the data to the server via DNS.
After initialization and reboots, the monitor component performs a DNS query on the embedded command and control server address and retrieves the external IP address of the infected machine via an HTTP GET request.
The legitimate LogMeIn service itself has not been compromised. Attackers only impersonated the service. LogMeIn published a blogpost[3] warning their customers of this malware.
Prevention and Mitigation Strategies
Although malware often targets old PoS devices, the UDPoS malware authors use simple lure tactics to entice victims into executing this malware. Preventing such attacks can be difficult as it uses DNS queries. It is recommended that our customers use latest antivirus and malware products and never click on malicious emails and links.
[2] https://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns
[3] https://blog.logmein.com/products/central/phishing-alert-pos-malware-mimic-logmein-software-updates
Comments