Malware, disguised as a service pack for remote connectivity services software LogMeIn, is stealing magnetic strip payment card data, according to researchers at Forcepoint Labs.
The Malware was spotted after the researchers noticed that the “service pack” generated a large number of unusual domain name system (DNS) requests.
The fact that the malware steals magnetic strip data indicates it is targeted at the US rather than Europe, where payment cards protected by chip and PIN are prevalent.
The likely targets would be fixed and mobile point of sale (POS) terminals in hotels and restaurants, the researchers said.
“As distributed enterprises, retail and hotel chains have hundreds and thousands of sites with POS devices, this is a big business problem for enterprises and small businesses,” they said.
The PoS malware appears to be a new family, which the researchers have dubbed “UDPOS” because of its heavy use of user datagram protocol (UDP)-based DNS traffic to transmit payment card data to the cyber criminals behind the malware.
UDPOS malware is flawed
The researchers said it is still unclear whether the malware is currently being used in campaigns in the wild, but the co-ordinated use of LogMeIn-themed filenames and command and control (C2) server addresses in Switzerland, coupled with evidence of an earlier Intel-themed variant, suggest that it may well be.
The researchers noted that they have been in contact with LogMeIn throughout the investigation to help determine whether its services or products may have been abused as part of the malware deployment process, but no evidence of this was found.
“It appears that the use of LogMeIn-themed filenames and C2 domain by the actors behind the malware is a simple lure and ‘camouflage’ technique,” they said, adding that LogMeIn has not been affected or infected in any way.
LogMeIn has also issued a statement saying that all legitimate updates for LogMeIn products, including patches, will always be delivered securely in-product. Users will never be contacted by LogMeIn with a request to update software that also includes either an attachment or a link to a new version or update, the company said.
Read more about cyber security in the retail sector
- Vulnerable third party point-of-sale (PoS) systems represent low-hanging fruit for cyber attackers.
- UK retail body BRC publishes first of its kind step-by-step guide on how to manage cyber security threats.
- A breach settlement with 47 US states has taken the cost of the 2013 data breach at retailer Target to more than $220m.
- Retailers urged to improve security of online stores amid discoveries of cyber criminal campaigns to exploit vulnerabilities in retail websites.
The good news is that UDPOS is not as advanced as the LockPOS malware discovered in June 2017, and does not work correctly, the researchers said. UDPOS is designed to look for specific antivirus and virtual machine software to shut down to evade detection, but works for only one type at the moment.
“It is unclear at present whether this is a reflection of the malware still being in a relatively early stage of development/testing or a straightforward error on the part of the developers,” the researchers said in a blog post.
Under normal circumstances a good firewall would detect and prevent the DNS exfiltration, according to the researchers. “Also, thoughtful patching and administration practices would stop the unusual service pack being installed,” they said.
The transmission of stolen payment card data will result in unusual patterns of activity on the machines, which means businesses can detect this kind of attack by identifying and reacting to unusual DNS traffic patterns.
Despite the fact that the malware has faulty evasion code and leaves unnecessary trails by using data files written to disk instead of working predominantly in memory, the researchers said UDPOS is “genuinely unusual”, although not unique, in its use of DNS-based communication, and can be “quite effective” they warn.
“Nearly all companies have firewalls and other protections in place to monitor and filter TCP- and UDP-based communications, however DNS is still often treated differently, providing a golden opportunity to leak data,” the researchers said, meaning that detection rates for the malware are still very low.
“Visibility is always an issue when it comes to non-traditional malware. Samples which do not target standard endpoints or servers can quite easily be missed because of the lack of focus on protecting these sorts of systems,” the researchers said.