A new strain of point-of-sale (PoS) malware has been discovered by security researchers that disguises itself as a LogMeIn service pack and steals payment card information through a DNS server.
Forcepoint researchers first spotted the new malware family dubbed "UDPos" after detecting that a supposed LogMeIn service pack seemed to be generating "notable amounts of 'unusual' DNS requests".
Researchers said the malware appeared to be linked to a command and control (C&C) server hosted in Switzerland and uses LogMein-themed filenames and C&C URLs to evade detection.
"Deeper investigation revealed something of a flawed gem, ultimately designed to steal magnetic stripe payment card data: a hallmark of PoS malware," Forcepoint's Robert Neumann and Luke Somerville wrote in a blog post published on Thursday (8 February). "This appears to be a new family which we are currently calling 'UDPoS' owing to its heavy use of UDP-based DNS traffic."
The dubious LogMeIn service pack sets up the malware by placing files into a LogMeInUpdService directory and creating a new system service to establish persistence before running a monitoring component.
"Despite maintaining a small footprint – only 88kb in size – the monitor component is a multi-threaded application which creates five different threads after its initialisation code is completed," researchers explained. "It's compiled by the same Visual Studio build and uses the same string encoding technique: both executables contain only a few identifiable plain-text strings, and instead use a basic encryption and encoding method to hide strings such as the C2 server, filenames, and hard-coded process names."
This monitoring component is used to check on the infected system's processes and check for anti-virus protections or virtual machines.However, researchers noted that the code responsible for opening module handles appears to be flawed.
"It is unclear at present whether this is a reflection of the malware still being in a relatively early stage of development/testing or a straightforward error on the part of the developers," ForcePoint said.
Once the malware is executed, it uses multiple standard Windows commands to harvest data from the infected machine, including payment card data, and send it to the server via DNS.
"The coding style and techniques seen within the malware can hardly be described as outstanding," reseachers said. "Beyond the faulty evasion code noted above, using data files written to disk instead of working predominantly in memory – besides leaving unnecessary trails – is rarely the trademark of bleeding edge malware... That said, the method used in this sample does appear to get the job done.
"Nearly all companies have firewalls and other protections in place to monitor and filter TCP- and UDP-based communications, however DNS is still often treated differently providing a golden opportunity to leak data."
It is still unclear if the malware is currently being used in active malware campaigns in the wild, Forcepoint said.
"The coordinated use of LogMeIn-themed filenames and C2 URLs, coupled with evidence of an earlier Intel-themed variant, suggest that it may well be," they noted.
Forcepoint reached out to LogMeIn to help determine whether its services or products were abused during the malware development process. However, the company said the developers behind the malware seem to have used a "simple lure and 'camouflagez'" technique.
"According to our investigation, the malware is intended to deceive an unsuspecting user into executing a malicious email, link or file, possibly containing the LogMeIn name," the company said in a statement. "This link, file or executable is not provided by LogMeIn and updates for LogMeIn products, including patches, updates, etc., will always be delivered securely in-product. You will never be contacted by us with a request to update your software that also includes either an attachment or a link to a new version or update.
"This potential malware is being delivered through channels independent of our solutions and we have no evidence at this time to believe that the LogMeIn environment or our products have been compromised as a result thereof."