In order to dodge the detection by security solutions, threat actors with sophisticated tools and tactics at their disposal often hide their malicious communications through innovative techniques. In one such security incident, an attempt was made by a Point of Sale malware that targeted DNS for its communication.
First detected in 2012, Alina the point of sale targeting malware was seen leveraging DNS protocol for malicious communication with its server.
In June this year, Alina was found to be using the DNS protocol to send stolen credit card details to the threat actor’s servers. To find and steal any unencrypted credit card related information, the malware performs RAM scrapping on the PoS devices. The malware also validates the card numbers by using Luhn checksum algorithm before sending the card details to C2 servers. A large number of system processes are also scrapped by the malware, like Brain.exe, Focus.exe, appidt.exe, etc. to steal credit card details.
Neither is Alina the first nor is it the only malware misusing the DNS system for malicious communications. To avoid detection by a security software, Mozart malware was found using the DNS protocol (DNS TXT records) for communication with the remote attackers earlier this year in February.
Importance of DNS –
Since the systems, processing credit cards are often run in Windows environments, they are often targeted by the existing skills of the crimeware markets. Even though the processing of credit card information occurs in highly restricted environments, DNS often goes unmonitored, making it an attractive choice for outbound communication in POS malware, including the exfiltration of stolen credit card information.
Malware authors encode the stolen information and issue a DNS query to the actor-controlled domain name to pull this off. The malicious actors can extract the information when they receive the DNS query after the encoded data is placed in the subdomain.
Some of the other techniques for targeting POS systems are –
- By storing ASCII characters disguised as hexadecimal values, hackers were seen using fake error logs last month. Information about PoS software as well as several other softwares installed on the victim systems was being collected by the threat actors by executing this move.
- A known ransomware which we covered in our blog last week, the Sodinokibi ransomware and its operators picked up the new tactic of scanning for POS data and credit card details (besides its usual data encryption attack), generate extra money from victims.
POS malware continues to pose a serious threat to security, and DNS is a popular choice for malware authors to surpass security controls and exfiltrate data from protected networks. Hackers and threat actors regularly update their Tactics, Techniques, and Procedures (TTPs) in order to evade detection, so the best defense is continuous monitoring for anomalies that occurs within the networks.
To read more, please check eScan Blog
