Deeper investigation revealed something of a flawed gem, ultimately designed to steal magnetic stripe payment card data: a hallmark of PoS malware.DNS Comms & Post Setup FunctionalityAfter the initial HTTP request to determine its external IP address, the monitor component appears to communicate exclusively via fake DNS requests, all of which follow the format{Machine ID}.Initialisation & EvasionAfter initialisation, including after reboots, the monitor component performs a DNS query on the embedded C2 address and retrieves the external IP address of the infected machine via an HTTP GET request:{C2URL}/index.jpg by the infobat. Visibility is always an issue when it comes to non-traditional malware: samples which do not target standard endpoints or servers can quite easily be missed because of the lack of focus on protecting these sorts of systems.From a consumer standpoint, protecting oneself against this sort of threat can be a tricky proposition for individuals: a PoS terminal could conceivably remain infected for significant lengths of time.22.exe’ and ‘logmeinumon.Design Decisions and Detection RateThe coding style and techniques seen within the malware can hardly be described as outstanding. It&packing machines Factory39;s compiled by the same Visual Studio build and uses the same string encoding technique: both executables contain only a few identifiable plain-text strings, and instead use a basic encryption and encoding method to hide strings such as the C2 server, filenames, and hard-coded process names. There have been several Point of Sale malware families identified over the past few years, all with the same goal: harvesting credit card data on a large scale – consider how many different cards may be used in stores, bars, or restaurants across the course of a day, let alone weeks or months.22.exe’.This monitoring component has an almost identical structure to the service component.For the anti-AV and anti-VM solution, there are four DLL and three Named Pipe identifiers stored in both service and monitor components:However, only the monitor component makes use of these and, moreover, the code responsible for opening module handles is flawed: it will only try to open cmdvrt32.bat’ which is similar in structure to the one examined for the service component.For many businesses, the situation may not be much better: legacy PoS systems are often based on variations of the Windows XP kernel and, in large retailers, may be present on hundreds or even thousands of devices.dat'.All five message types are logged to the {Machine ID}.TimelinesAs the underlying intent of the malware became clear to, Forcepoint attempted to identify further samples from the same family to determine whether this was something new (and possibly still being tested before deployment) or part of an ongoing campaign.A Set of Two — Service & MonitorBehavioural analysis of the initial sample Forcepoint discovered, a file named logmeinumon.ConclusionDiscovering a unique piece of malware is a rare event these days and UDPoS, while unusual, is not a new concept.dat and saves a hash of the 'trp' message to udwupd.dll – a library related to Comodo security products – and nothing else.001. This data is written to a local file called ‘PCi.001.Point of Sale malware has been around for some time and has been deployed against a broad range of businesses from retailers to hotel groups.exe’
Note: Forcepoint has been in contact with LogMeIn throughout this investigation to help determine whether their services or products may have been abused as part of the malware deployment process. It does this via a batch file with a semi-random filename embedding standard Windows commands for file and service operations.001.22.115. However, enabling reporting on your credit card activity (many banks offer SMS, Push, and email alerts) can greatly reduce the time of discovery – and therefore recovery – if abuse does occur.It is unclear at present whether this is a reflection of the malware still being in a relatively early stage of development/testing or a straightforward error on the part of the developers. Forcepoint Labs has discovered a new piece of POS malware.dat’ in the same directory where the executables are deployed.These efforts revealed another service component, but unfortunately not the corresponding monitor nor the parent 7-Zip SFX archive.bat process, while ‘ping’ is a heartbeat message sent to the C2 every 60 minutes. Whether this is a sign that authors of the malware were not successful in deploying it at first or whether these are two different campaigns cannot be fully determined at this time due to the lack of additional executables.'Info' messages - as its name suggests - are purely informational and are despatched alongside 'ping' messages:{PCNAME}; {USERNAME}; [NS:IP {C2URL}:{C2IP}]The 'note' and 'trp' message types required further analysis and relate to the core functionality of the malware.. These sorts of malware generally make up the majority of incoming malicious samples and are, from a researcher's standpoint, typically not very interesting.jpg’ and sent to the C2 server via DNS. This randomly generated identifier is used as {Machine ID} in all of the DNS queries detailed below.dat file prior to transmission.php/?udpool={Machine ID}