Threat Spotlight: Inside UDPoS Malware

UDPoS is a recently discovered family of Point-of-Sale (PoS) malware, designed to harvest and exfiltrate credit card information from PoS systems using DNS tunneling.

This new family utilizes several deception tricks in that it attempts to disguise itself as a LogMeIn service pack update, as well as making network connections to a URL that masquerades as a legitimate LogMeIn domain.

The following is a technical overview of this new malware family.

Technical Analysis

Upon detonation, UDPoS drops several components before creating a persistence mechanism, scraping the victim memory for track 1 and 2 credit card data, comprehensively enumerating the host system info, packaging all the retrieved data together and encrypting with RC4, and then finally exfiltrating the data via DNS to an external command and control (C2) server.

While DNS-tunneling-based exfiltration in PoS malware is nothing new, it does highlight the fact that aside from running antivirus (AV) and EDR solutions, organizations should place a greater emphasis on examining DNS traffic for dubious or anomalous characteristics.

File Information:

SHA256

de385ba88288785f3e9312d99884756e9f13598491d9efa817d78f0ac3ea06de

Classification

Dropper

Alias

UDPoS, Spyware.Infostealer.POS, TSPY_UDPOS.A

Type

Win32 PE

Size

157 KB (160,827 bytes)

Timestamp

2012-12-31 00:38:32

ITW names

Update.exe, 7ZSfxMod_x86.exe

Overview

7zip self-extracting archive, drops and runs the installer.

SHA256

423e1020debbd759aa8ea07635ce79752c5f8bb6912f52fb001d1ce4128a39c5

Classification

Trojan

Alias

UDPoS, Spyware.POSCardStealer, Spyware.Infostealer.POS, TSPY_UDPOS.A

Type

Win32 PE

Size

57.5 KB (58,880 bytes)

Timestamp

2017-10-25 12:09:16

ITW names

LogmeinServicePack_5.115.22.001.exe

Overview

Installs and runs the main info-stealer component as a service.

SHA256

62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf

Classification

Infostealer

Alias

UDPoS, Spyware.POSCardStealer, Spyware.Infostealer.POS

Type

Win32 PE

Size

88.0 KB (90,112 bytes)

Timestamp

2017-10-25 12:11:08

ITW names

logmeinumon.exe

Overview

Attempts to steal track 1 and 2 credit card data from memory and exfiltrate via DNS.

 

The Dropper and Installer:

The initial dropper, (Read more...)

*** This is a Security Bloggers Network syndicated blog from Cylance Blog authored by Cylance Blog. Read the original post at: https://threatmatrix.cylance.com/en_us/home/threat-spotlight-inside-udpos-malware.html