New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Alina POS Malware Hiding Credit Card Data in DNS Queries

The Alina Point-of-Sale (POS) malware, which has been documented by researches for several years, has now been found to use the Domain Name System (DNS) protocol to smuggle stolen credit cards to a remote server under attackers’ control. POS malware is installed on point of sale systems to monitor for credit card payments. When a payment is processed on a remote terminal or a local machine, the malware will scrape the credit card information from the computer’s memory and send it to a remote Command and Control (C2) server operated by the attacker. It is a common defensive tactic for POS systems to lock down HTTP protocol so that malware cannot connect to their C2 server using that protocol. Alina POS malware is now using DNS requests for communications since DNS protocols are not commonly blocked because a variety of Windows services require this for the basic operation of the machine. In a report from IT services company CenturyLink, it was found that the Alina malware is encoding card data and other messages into DNS requests and sending it to their C2 server. The malware encrypts and encodes data as a DNS request referencing a subdomain for one of four domains. The four domains are: analytics-akadns[.]com, akamai-analytics[.]com, akamai-information[.]com, akamai-technologies[.]com.

Analyst Notes

The technique of using DNS requests to send stolen credit card data is not new and has been observed since at least 2017 in other malware such as GratefulPOS, which also made use of a domain name abusing the akamai brand name, deploy-akamaitechnologies[.]com. To assist in enhancing security, all organizations that use POS systems should monitor DNS traffic for suspicious queries. Network administrators should also block any DNS traffic that includes the four domains mentioned above. The Binary Defense Security Operations Center (SOC) can also assist organizations by monitoring endpoints for the original malware and defend from it when it attempts to be installed.

Source Article: