Forcepoint researchers Robert Neumann and Luke Somerville have recently reported in their blog post that a new malware family known as UDPoS has been taking disguise it as legitimate services to avoid detection while transferring stolen data.
A sample of the malware was recently uncovered by the cybersecurity firm masquerades as a LogMeIn function. LogMeIn is a legitimate remote access system used to manage PCs and other systems remotely.
This fake 'service pack' generated "notable amounts of 'unusual' DNS requests," according to the team and upon further investigation, it was found that the fake LogMein system was actually PoS malware.
PoS malware lurks in systems where credit card information is processed and potentially stored, such as in shops and restaurants. If a point-of-sale system is infected, malware such as DEXTER or BlackPOS will steal the payment card data contained on credit card magnetic strips, before sending this information to its operator through a command and control (C&C) server.
This information can then be used to create dupe cards from banks, wipe bank accounts, and potentially may also be used in identity theft.
In 2013, US retailer Target was the victim of PoS malware and the credit card information of roughly 110 million customers was stolen. In what Forcepoint calls an occasional needle in a "digital haystack," the new UDPoS malware uses LogMein-themed filenames and C&C URLs to hide its DNS-based traffic.
A sample of the malware, called logmeinumon.exe, links to a C&C server hosted in Switzerland and contains a dropper and self-extracting archives which extracts content to temp directories.
A LogMeInUpdService directory is also created together with a system service to enable persistence, and then a monitoring component comes into play.
"This monitoring component has an almost identical structure to the service component. It's compiled by the same Visual Studio build and uses the same string encoding technique: both executables contain only a few identifiable plain-text strings, and instead use a basic encryption and encoding method to hide strings such as the C2 server, filenames, and hard-coded process names," the researchers say.
The monitoring component not only keeps an eye on infected system processes but also checks for antivirus protections and virtual machines. Any data up for grabs, such as customer card information, is then collected and sent through DNS traffic disguised as LogMein.
"Nearly all companies have firewalls and other protections in place to monitor and filter TCP- and UDP-based communications, however, DNS is still often treated differently providing a golden opportunity to leak data," the researchers note.
Forcepoint emphasizes that the use of LogMein themes is simply a way to camouflage the malware's activities, and after disclosing the findings to the remote software firm, no evidence has been found of product or service abuse.
However, the researchers say that there is evidence of an "earlier Intel-themed variant," which suggests UDPoS may be the next evolution in operational malware which has been tweaked to become more successful and target fresh victims.