Cylance vs. UDPoS Malware


Point of sale (PoS) systems remain a tempting target for threat actors. While corporations and other large organizations can afford private IT security teams to monitor payment data, many smaller businesses cannot. PoS systems usually send credit card data to simple computers running basic versions of Windows or Linux, increasing their attractiveness to criminals.  

UDPoS is a newly-discovered malware that preys upon credit card payment systems. It uses several deceptive tricks to infiltrate PoS systems and obtain credit card information. Once the information is collected, UDPoS uses DNS tunneling to exfiltrate the data from the system.

UDPoS Analyzed

The Cylance Threat Guidance team recently performed a detailed analysis of UDPoS.

Our tests began with the malware dropper, a self-extracting 7-zip archive file named update.exe. The archived file contains a malware service and payload. When the dropper is executed the malware payload, logmeinumon.exe, is extracted to disk. The service, LogmeinServicePack_5.115.22.001.exe, is executed by 7-zip’s RunProgram feature. The LogMeIn naming convention is likely an attempt by threat actors to camouflage the malware as legitimate remote desktop protocol (RDP) software.

The dropper self-deletes after execution, leaving the malware service to create a persistence mechanism on the host. The system locations used by UDPoS to store malicious persistence components depend upon the rights of the user executing the malware. Once persistence has been established the malware service relinquishes control to the payload.

The UDPoS payload loads itself into memory and then performs a check for existing antivirus (AV) solutions. This check contains buggy code which successfully identifies only one of four AV libraries. The malware then creates an ID file, hdwid.dat, for storing stolen data. UDPoS then launches five threads which perform the heavy-lifting for the malware:

*** This is a Security Bloggers Network syndicated blog from Cylance Blog authored by Cylance Blog. Read the original post at: