Security experts have just alerted of a brand new Point of Sale (POS) malware. Currently, they are not certain if the threat is under development, or it’s already used, alongside the coding errors, in an undetected malware campaign.
According to the researchers, the PoS malware has been responsible for many high profile data breaches during the past years. They are related to the growing use of EMV (chip & pin) payment cards in USA which makes card-present fraud more difficult.
Based on the above-mentioned, security experts have always expected that hackers would choose the card-not-present (that is, online) fraud, making the online theft of card details much more prefferable.
This is how researchers from Forcepoint described the PoS malware in a blog analysis yesterday:
“This appears to be a new family which we are currently calling ‘UDPoS’ owing to its heavy use of UDP-based DNS traffic.”
The quality of the coding did not impress the experts much and they described it as ‘a flawed gem’, where ‘flawed’ refers to the coding and ‘gem’ to the excitement of discovering a new needle in the haystack of old malware.
The new malware uses a ‘LogMeIn’ theme as camouflage. The C2 server is service-logmeln.network (with an ‘L’ rather than an ‘I’) hosting the dropper file, update.exe. This is a self-extracting 7-Zip archive that contains LogmeinServicePack_5.115.22.001.exe and logmeinumon.exe. The service component of the malware is run automatically by 7-Zip on extraction.
The same service component is setting up a folder of its own, establishing persistence. After that, it passes control to the second, or monitoring, component by launching logmeinumon.exe. The two components have a similar structure, and use the same string encoding technique to hide the name of the C” server, filenames and hard-coded process names.
It is the monitor component that creates five different threads after attempting an anti-AV and virtual machine check and either creating or loading an existing ‘Machine ID’. The Machine ID is used in all the malware’s DNS queries. The anti-AV/VM process is flawed, attempting to open only one of several modules.
Once the first run, the malware generates a batch file (infobat.bat) to fingerprint the infected device, with details written to a local file before being sent to the C2 server via DNS. The actual reason for this is unknown, though according to the the experts, “The network map, list of running processes and list of installed security updates is highly valuable information.”
The malware analysis revealed a process designed to collect Track 1 and Track 2 payment card data by scraping the memory of running processes. In case any Track 1/2 data is found, it is sent to the C2 server. The researchers say that a log is also created and stored presumably, “for the purpose of keeping track of what has already been submitted to the C2 server.”
When the experts tried to find additional samples of the same malware family, they found a different service component but without a corresponding monitor component. The component had an ‘Intel’ theme rather than a ‘LogMeIn’ theme. It was compiled at the end of September 2017, two weeks before the compilation stamp of October 11, 2017 for the LogMeIn components.
“Whether this is a sign that authors of the malware were not successful in deploying it at first or whether these are two different campaigns cannot be fully determined at this time due to the lack of additional executables,” the authors say.
The experts warn that legacy PoS systems are often based on variations of the Windows XP kernel. “While Windows POSReady is in extended support until January 2019, it is still fundamentally an operating system which is seventeen years old this year.”
The sysadmins are urged to monitor unusual activity patterns, “By identifying and reacting to these patterns, businesses — both PoS terminal owners and suppliers — can close down this sort of attack sooner.”