Cyber-security firm Forcepoint researchers Robert Neumann and Luke Somerville said in a blog post that a new malware family called UDPoS tried to disguise itself as Legitimate services to avoid being detected during transmission of factual data. This rare malware camouflages itself as a LogMein service pack to hide its anomalous traffic, thereby hiding the theft of the customer’s data.
The new malware family at UDPoS seeks to disguise itself as a legitimate service, the LogMein service package, which generates “unusually large numbers of DNS requests.” Further investigation by the network security firm Forcepoint found that the LogMeIn system actually PoS malware belongs.
LogMeIn is a legitimate remote access system that remotely manages PCs and other systems.
PoS malware is hidden in the system responsible for processing and possibly storing credit card information, such as payment systems used by restaurants, shops, and the like. Once the point-of-sale system (ie, the PoS machine) is infected, it can steal the payment data contained on the credit card magnetic stripe using malware such as DEXTER or BlackPOS and send it to the behind-the-scenes manipulator via a command and control (C&C) server.
This part of the credit card information is then used to clear the bank account even for identity theft by creating a duplicate card.
In 2013, American retailer Target Corp. was hit by PoS malware and stolen credit card information from about 110 million customers. ForcePoint has referred to this difficult investigation as a “needle in a haystack,” and the new UDPoS malware hides its DNS-based transport traffic using a LogMeIn-themed file name and C&C URL.
One of the malware samples, called logmeinumon.exe, accesses a C & C server hosted in Switzerland and contains a self-extracting file that is responsible for extracting the extracted extractor and to a temporary directory. The sample will then create a LogMeInUpdService directory, along with a system service that will allow the monitoring component to work. “The monitor and service components have almost the same structure,” said the researchers, “They are compiled from the same Visual Studio version and use the same string encoding techniques: two executables contain only a few recognizable plain text String and use basic encryption and encoding methods to hide string content – such as C & C servers, filenames, and hard-coded process names. “This monitoring component not only keeps track of infected system processes but also checks anti-virus protection and virtual machine.
Everything collected – such as customer credit card information – will be disguised as LogMeIn’s DNS traffic to send.
The researchers point out that “Almost all businesses have firewalls and other protections to monitor and filter traffic over TCP and UDP, but DNS is still treated differently, giving good data leakage opportunity.”
Force point emphasizes that using the LogMeIn theme is just one way to disguise malware activity. After the disclosure of the findings, there is currently no evidence that a product or service abuse incident has occurred.
It is unclear whether this malware is widely used. However, the malware’s edit timestamp is recorded as October 25, 2017, so it is likely to be a relatively new attack product.
However, researchers said there is evidence that it is “a variant of an earlier Intel theme,” suggesting that UDPoS is likely to be just the next stage in the development of malware. It is adjusted to redirect to different targets and groups of victims.
LogMeIn makes the following statement about the incident:
“This link, file or executable is not provided by LogMeIn and updates for LogMeIn products, including patches, updates, etc., will always be delivered securely in-product.
You will never be contacted by us with a request to update your software that also includes either an attachment or a link to a new version or update.”
Source: ZDNet
