Security News

UDPoS malware spotted in the wild

By

Description

The SonicWall Capture Labs Threat Research Team observed a new POS malware Called UDPOS [UDPOS.A].

UDPOS is a newly-discovered malware that preys upon credit card payment systems. UDPoS uses DNS tunneling to exfiltrate the data from the system.

Infection Cycle:

The Malware adds the following files to the system:

  • Malware.exe
    • C:\WINDOWS\system32\LogMeInUpdService\hdwid.dat [Machine ID]
    • C:\WINDOWS\system32\LogMeInUpdService\sinf.dat [Process Name Logs ]
    • C:\WINDOWS\system32\LogMeInUpdService\[Rndom Number].dat [ Track Data ]
    • C:\WINDOWS\system32\LogMeInUpdService\infobat.bat [ Net Commands ]
    • %Userprofile%\Local Settings\Temp\7ZSfx000.cmd [ Wipe Commands ]

Once the computer is compromised, the malware creates a new system service to maintain persistence and then launches a component to monitor for sensitive payment card data.

The malware adds the following keys to the Windows registry to ensure persistence upon reboot:

The malware uses a basic encryption and encoding method to obfuscate various strings such as the C&C server, filenames, and process names to evade detection.

The malware terminates itself if it detects the presence of antivirus software or if debugger is presents on the infected system.

The Malware retrieves a list of running processes; the malware is responsible for scraping the memory of current processes on the infected machine for credit card information periodically. The malware tries to Enumerate Credit Card Data from POS Software with following API functions:

The malware logs POS process name into sinf.dat file:

The malware generates random identifier for the target machine and saves into hdwid.dat file:

Once it locates payment card data, the Malware makes one HTTP request to determine the infected system’s external IP address.

Once the public IP is acquired, the malware tries to verify Credit Cards numbers and then sends track 1 and track 2 credit card data in encrypted format to one of the given C&C Servers based on DNS Traffic format such as following example:

Sonicwall Capture Labs provides protection against this threat via the following signature:

  • GAV: UDPOS.A (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
This system protection software won't protect you from itself. (October 5, 2012)
RealNetworks RealPlayer Code Execution Vulnerability (Jan 25, 2011)
Adobe Camera Raw Plug-in BO (Dec 21, 2012)
Google script being abused for Cryptocurrency fraud
Hackers continue to mount attacks on Webmin servers
SSH ProxyCommand Command Injection
Guatambu: new multi-component InfoStealer drops Kartoxa POS Malware (Apr 08, 2016)
Data stealing Trojan was found using Windows PowerShell Remoting (May 28, 2015)