Malware hunters from US security firm Forcepoint have stumbled across a new strain of Point of Sale (PoS) malware, the second such type of PoS malware that hides stolen credit/debit card information inside DNS requests.
The first PoS malware that was first seen employing this technique was a lesser known version of the NewPosThings PoS malware, named MULTIGRAIN, discovered in April 2016 by fellow US cyber-security firm FireEye.
But while MULTIGRAIN had been used in real-world attacks, Forcepoint says it did not find any evidence suggesting this new strain of PoS malware, named UDPoS, has made any victims as of yet. According to Forcepoint's Robert Neumann and Luke Somerville, UDPoS appears to be less sophisticated than recent strains of PoS malware, suggesting the individual/group behind it might just be taking the first steps in the realm of PoS systems.
The coding style and techniques seen within the malware can hardly be described as outstanding. Beyond the faulty evasion code noted above, using data files written to disk instead of working predominantly in memory – besides leaving unnecessary trails – is rarely the trademark of bleeding edge malware and, equally, there are more advanced ways of fingerprinting a PC and generating a report. That said, the method used in this sample does appear to get the job done.
These observations are important because most recently-detected strains of PoS malware are highly complex pieces of code, usually working in the computer's memory to avoid the detection of on-disk resources by security software.
The faulty or unsophisticated code, along with the reliance on on-disk artifacts suggests the threat actor behind UDPoS is largely unsophisticated, or inexperienced when it comes to interacting with PoS systems.
No real-world detections of infected systems
This lack of experience is probably the main reason why the threat actors did not manage to get off to a good start with UDPoS. Forcepoint says it detected two "lures" that carried the malware. In one case the malware was hidden inside a LogMeIn installer, and in the other, inside a package advertising Intel upgrade services.
Both packages were detected last year, in October. The lack of any recent samples can mean two things. Either the UDPoS author gave up, or he found a way to avoid detection by security software.
In spite of the scathing review Forcepoint researchers gave some of UDPoS' code, it cannot be ruled out that threat actors found a way to upgrade their codebase with improved features.
Malware that hides data inside DNS requests is rare, mainly because it is hard to get it right. UDPoS threat actors are certainly smart enough if they implemented such a complex data exfiltration system, so don't be surprised if an improved version of UDPoS pops up in card breach incidents at hotel or restaurant chains in the future.
110 Reykjavik, Iceland