Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New PoS Malware Family Discovered

Researchers have discovered a new Point of Sale (POS) malware. They cannot tell yet whether it is new code still being developed, or already used — complete with coding errors — in an undetected campaign. They suspect the latter.

Researchers have discovered a new Point of Sale (POS) malware. They cannot tell yet whether it is new code still being developed, or already used — complete with coding errors — in an undetected campaign. They suspect the latter.

PoS malware has been responsible for a number of high profile data breaches over the last few years, including Hyatt Hotels, Chipotle Mexican Grill, Avanti Markets, and Sonic Drive-In. The growing use of EMV (chip & pin) payment cards in the U.S. makes card-present fraud more difficult. It was always expected that this would drive criminals towards card-not-present (that is, online) fraud; making the online theft of card details more attractive.

Forcepoint researchers Robert Neumann and Luke Somerville described the malware in a blog analysis posted today. “This appears to be a new family which we are currently calling ‘UDPoS’ owing to its heavy use of UDP-based DNS traffic.” The researchers are not overly impressed by the quality of the coding, describing it as ‘a flawed gem’ — where ‘flawed’ refers to the coding and ‘gem’ to the excitement of discovering a new needle in the haystack of old malware.

The malware uses a ‘LogMeIn’ theme as camouflage. The C2 server is service-logmeln.network (with an ‘L’ rather than an ‘I’) hosting the dropper file, update.exe. This is a self-extracting 7-Zip archive containing LogmeinServicePack_5.115.22.001.exe and logmeinumon.exe. The former, the service component of the malware, is run automatically by 7-Zip on extraction.

This service component is responsible for setting up its own folder, and establishing persistence. It then passes control to the second, or monitoring, component by launching logmeinumon.exe. The two components have a similar structure, and use the same string encoding technique to hide the name of the C” server, filenames and hard-coded process names.

The monitor component creates five different threads after attempting an anti-AV and virtual machine check and either creating or loading an existing ‘Machine ID’. The Machine ID is used in all the malware’s DNS queries. The anti-AV/VM process is flawed, attempting to open only one of several modules.

When first run, the malware generates a batch file (infobat.bat) to fingerprint the infected device, with details written to a local file before being sent to the C2 server via DNS. The precise reason for this is unclear, but the researchers note, “The network map, list of running processes and list of installed security updates is highly valuable information.”

Deeper analysis of the malware revealed a process designed to collect Track 1 and Track 2 payment card data by scraping the memory of running processes. “These processes,” say the researchers, “are checked against an embedded and pre-defined blacklist of common system process and browser names with only ones not present on the list being scanned.”

If any Track 1/2 data is found, it is sent to the C2 server. A log is also created and stored, “presumably,” say the researchers, “for the purpose of keeping track of what has already been submitted to the C2 server.”

When the researchers attempted to find additional samples of the same malware family, all they found was a different service component but without a corresponding monitor component. This one had an ‘Intel’ theme rather than a ‘LogMeIn’ theme. It was compiled at the end of September 2017, two weeks before the compilation stamp of October 11, 2017 for the LogMeIn components.

“Whether this is a sign that authors of the malware were not successful in deploying it at first or whether these are two different campaigns cannot be fully determined at this time due to the lack of additional executables,” note the authors.

They warn that legacy PoS systems — which can number thousands in large retailers — are often based on variations of the Windows XP kernel. “While Windows POSReady is in extended support until January 2019, it is still fundamentally an operating system which is seventeen years old this year.”

They urge sysadmins to monitor unusual activity patterns; in this case, DNS traffic. “By identifying and reacting to these patterns, businesses — both PoS terminal owners and suppliers — can close down this sort of attack sooner.”

Austin, Texas based Forcepoint, originally known as Raytheon/Websense, was created in a $1.9 billion deal involving Raytheon, Websense and Vista Equity Partners in April 2015. It was renamed to Forcepoint in January 2016.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.