<div dir="ltr"><a href="http://www.zdnet.com/article/udpos-malware-hides-in-dns-traffic-to-target-point-of-sale-systems/">http://www.zdnet.com/article/udpos-malware-hides-in-dns-traffic-to-target-point-of-sale-systems/</a><div><br></div><div>A new strain of point-of-sale (PoS) malware is disguising itself as a LogMeIn service pack to hide the theft of customer data.<br></div><div><div></div>
<div class="gmail-relatedContent gmail-alignRight">
<h3 class="gmail-heading"><span style="font-weight:normal"><font size="2">On Thursday, Forcepoint researchers Robert Neumann and Luke Somerville </font></span><a href="https://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns" style="font-size:small;font-weight:normal">said in a blog post</a><span style="font-size:small;font-weight:normal">
that a new malware family, dubbed UDPoS, attempts to disguise itself as
legitimate services to avoid detection while transferring stolen data.</span><br></h3></div><p>A sample of the malware recently uncovered by the cybersecurity firm masquerades as a LogMeIn function. <a href="https://www.logmein.com/">LogMeIn</a> is a legitimate remote access system used to manage PCs and other systems remotely.</p><p>This
fake 'service pack' generated "notable amounts of 'unusual' DNS
requests," according to the team and upon further investigation, it was
found that the fake LogMein system was actually PoS malware.</p><p>PoS
malware lurks in systems where credit card information is processed and
potentially stored, such as in shops and restaurants. If a point-of-sale
system is infected, malware such as DEXTER or BlackPOS will steal the
payment card data contained on credit card magnetic strips, before
sending this information to its operator through a command and control
(C&C) server.</p>
<p>This information can then be used to create dupe cards from banks,
wipe bank accounts, and potentially may also be used in identity theft.</p><p>In 2013, US retailer Target was the victim of PoS malware and the credit card information of roughly <a href="http://www.zdnet.com/article/anatomy-of-the-target-data-breach-missed-opportunities-and-lessons-learned/" target="_blank"> 110 million customers</a> was stolen.</p>
<div><section class="gmail-sharethrough-top">
</section>
</div><p>In what Forcepoint calls an occasional needle in a "digital
haystack," the new UDPoS malware uses LogMein-themed filenames and
C&C URLs to hide its DNS-based traffic.</p><p>A sample of the
malware, called logmeinumon.exe, links to a C&C server hosted in
Switzerland and contains a dropper and self-extracting archives which
extracts content to temp directories.</p><p>A LogMeInUpdService
directory is also created together with a system service to enable
persistence, and then a monitoring component comes into play.</p><p>"This
monitoring component has an almost identical structure to the service
component," the researchers say. "It's compiled by the same Visual
Studio build and uses the same string encoding technique: both
executables contain only a few identifiable plain-text strings, and
instead use a basic encryption and encoding method to hide strings such
as the C2 server, filenames, and hard-coded process names."</p><p>The
monitoring component not only keeps an eye on infected system processes
but also checks for antivirus protections and virtual machines.</p><p>Any data up for grabs, such as customer card information, is then collected and sent through DNS traffic disguised as LogMein.</p><p>"Nearly
all companies have firewalls and other protections in place to monitor
and filter TCP- and UDP-based communications, however, DNS is still
often treated differently providing a golden opportunity to leak data,"
the researchers note.</p><p>Forcepoint
emphasizes that the use of LogMein themes is simply a way to camouflage
the malware's activities, and after disclosing the findings to the
remote software firm, no evidence has been found of product or service
abuse.</p><p>It is not yet known whether or not this malware is being
used in the wild, but the malware's compilation timestamps are recorded
as 25 October 2017, so this may be a relatively new campaign.</p><p>However,
the researchers say that there is evidence of an "earlier Intel-themed
variant," which suggests UDPoS may be the next evolution in operational
malware which has been tweaked to become more successful and target
fresh victims.</p><p>Update 14.27GMT: LogMein provided the following statement:</p><blockquote>"This
link, file or executable is not provided by LogMeIn and updates for
LogMeIn products, including patches, updates, etc., will always be
delivered securely in-product. <br><br>You will never be contacted by us
with a request to update your software that also includes either an
attachment or a link to a new version or update."</blockquote><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><br clear="all"><div><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><b><span style="font-size:10pt"></span></b><span style="font-size:10pt"></span><span style="font-family:arial,helvetica,sans-serif"></span><br></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
</div></div>