[BreachExchange] Malware hides as LogMein DNS traffic to target point of sale systems

Inga Goddijn inga at riskbasedsecurity.com
Fri Feb 9 19:16:20 EST 2018


A new strain of point-of-sale (PoS) malware is disguising itself as a
LogMeIn service pack to hide the theft of customer data.
On Thursday, Forcepoint researchers Robert Neumann and Luke Somerville said
in a blog post
that a new malware family, dubbed UDPoS, attempts to disguise itself as
legitimate services to avoid detection while transferring stolen data.

A sample of the malware recently uncovered by the cybersecurity firm
masquerades as a LogMeIn function. LogMeIn <https://www.logmein.com/> is a
legitimate remote access system used to manage PCs and other systems

This fake 'service pack' generated "notable amounts of 'unusual' DNS
requests," according to the team and upon further investigation, it was
found that the fake LogMein system was actually PoS malware.

PoS malware lurks in systems where credit card information is processed and
potentially stored, such as in shops and restaurants. If a point-of-sale
system is infected, malware such as DEXTER or BlackPOS will steal the
payment card data contained on credit card magnetic strips, before sending
this information to its operator through a command and control (C&C) server.

This information can then be used to create dupe cards from banks, wipe
bank accounts, and potentially may also be used in identity theft.

In 2013, US retailer Target was the victim of PoS malware and the credit
card information of roughly 110 million customers
was stolen.

In what Forcepoint calls an occasional needle in a "digital haystack," the
new UDPoS malware uses LogMein-themed filenames and C&C URLs to hide its
DNS-based traffic.

A sample of the malware, called logmeinumon.exe, links to a C&C server
hosted in Switzerland and contains a dropper and self-extracting archives
which extracts content to temp directories.

A LogMeInUpdService directory is also created together with a system
service to enable persistence, and then a monitoring component comes into

"This monitoring component has an almost identical structure to the service
component," the researchers say. "It's compiled by the same Visual Studio
build and uses the same string encoding technique: both executables contain
only a few identifiable plain-text strings, and instead use a basic
encryption and encoding method to hide strings such as the C2 server,
filenames, and hard-coded process names."

The monitoring component not only keeps an eye on infected system processes
but also checks for antivirus protections and virtual machines.

Any data up for grabs, such as customer card information, is then collected
and sent through DNS traffic disguised as LogMein.

"Nearly all companies have firewalls and other protections in place to
monitor and filter TCP- and UDP-based communications, however, DNS is still
often treated differently providing a golden opportunity to leak data," the
researchers note.

Forcepoint emphasizes that the use of LogMein themes is simply a way to
camouflage the malware's activities, and after disclosing the findings to
the remote software firm, no evidence has been found of product or service

It is not yet known whether or not this malware is being used in the wild,
but the malware's compilation timestamps are recorded as 25 October 2017,
so this may be a relatively new campaign.

However, the researchers say that there is evidence of an "earlier
Intel-themed variant," which suggests UDPoS may be the next evolution in
operational malware which has been tweaked to become more successful and
target fresh victims.

Update 14.27GMT: LogMein provided the following statement:

"This link, file or executable is not provided by LogMeIn and updates for
LogMeIn products, including patches, updates, etc., will always be
delivered securely in-product.

You will never be contacted by us with a request to update your software
that also includes either an attachment or a link to a new version or
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180209/35bc366b/attachment.html>

More information about the BreachExchange mailing list