Posted on February 9, 2018 at 1:26 PM
A brand new kind of malware has demonstrated a unique operation method as it works by impersonating the LogMeIn service in order to avoid arousing any suspicions.
An interesting new type of malware has recently emerged that targets point-of-sale (PoS) systems by pretending to be the widely used LogMeIn service to hide the fact that the malware is stealing customer information.
The malware was discovered last week by Luke Somerville and Robert Neumann, who work as researchers for the cybersecurity firm, Force point. The researchers shared their findings in a blog post which provides a detailed look at the malware, called UDPoS. This malware has a unique operational technique as it mimics a popular web service so that the data theft cannot be detected.
The legitimate LogMeIn services is a system designed to allow the user to manage a system network of PCs remotely. However, the UDPoS malware has now exploited this service by impersonating it to steal customer information.
UDPoS operates by generating a notably irregular amount of DNS requests. However, upon closer inspection, Forcepoint researchers soon concluded that these requests came from the malware and not from LogMeIn.
PoS malware generally targets systems which store and process credit card information. Previous PoS malware, such as BlackPoS or DEXTER, for example, compromised PoS systems in order to steal credit card information that PoS systems gain access to via the physical credit card’s magnetic strip. After this information is accessed, it is communicated to the payment processor using a command and control server.
However, this information can be dangerous when falling into the wrong hands. The dedicated hacker can easily use the credit card information in an attempt to perform identity theft, to duplicate cards, or even to wipe bank accounts.
One of the biggest PoS malware attacks in recent history occurred in 2013, when the major US retailer, Target, suffered a malware attack which compromised the credit card information of 110 million Target customers.
However, in this latest UDPoS attack, Forcepoint noted the innovation of the attack as the malware uses unique LogMeIn filenames and controls in order to disguise its suspects DNS traffic.
A small sample of the malware, named logmeinumon.exe, has been traced to a control and command server in Switzerland. This server has also been discovered to contain self-extracting archives and a dropper.
Interestingly, the LogMeInUpdService directory has been created to work with a system that enhances persistence in addition to a monitoring factor.
According to researchers, this monitoring feature is very similar to service factor’s structure. The two systems were created by the same Visual Studio and utilize the exact same technique of string encoding. While both executables contain merely single pieces of plain-text, the majority of the code is encrypted.
The monitoring factor has been designed to monitor systems for infection while simultaneously monitoring the system’s anti-malware software.
According to the researchers, most companies are have implemented strict firewalls and other anti-malware and antivirus software, however, most companies are still not effectively secured when it comes to DNS data protection.