PoS Malware Steals Credit Card Data via DNS Requests [source: bleepingcomputer]

11 Feb 2018

No Comments

1293

Malware hunters from US security firm Forcepoint have stumbled across a new strain of Point of Sale (PoS) malware, the second such type of PoS malware that hides stolen credit/debit card information inside DNS requests.

The first PoS malware that was first seen employing this technique was a lesser known version of the NewPosThings PoS malware —named MULTIGRAIN—, discovered in April 2016 by fellow US cyber-security firm FireEye.

But while MULTIGRAIN had been used in real-world attacks, Forcepoint says it did not find any evidence suggesting this new strain of PoS malware —named UDPoS— has made any victims as of yet.

UDPoS less sophisticated than similar PoS malware strains

According to Forcepoint’s Robert Neumann and Luke Somerville, UDPoS appears to be less sophisticated than recent strains of PoS malware, suggesting the individual/group behind it might just be taking the first steps in the realm of PoS systems.

The coding style and techniques seen within the malware can hardly be described as outstanding. Beyond the faulty evasion code noted above, using data files written to disk instead of working predominantly in memory – besides leaving unnecessary trails – is rarely the trademark of bleeding edge malware and, equally, there are more advanced ways of fingerprinting a PC and generating a report. That said, the method used in this sample does appear to get the job done.

These observations are important because most recently-detected strains of PoS malware are highly complex pieces of code, usually working in the computer’s memory to avoid the detection of on-disk resources by security software.

The faulty or unsophisticated code, along with the reliance on on-disk artifacts suggests the threat actor behind UDPoS is largely unsophisticated, or inexperienced when it comes to interacting with PoS systems.

For more, click here.