The Alina Point-of-Sale (POS) malware, which has been documented by researches for several years, has now been found to use the Domain Name System (DNS) protocol to smuggle stolen credit cards to a remote server under attackers’ control. POS malware is installed on point of sale systems to monitor for credit card payments. When a payment is processed on a remote terminal or a local machine, the malware will scrape the credit card information from the computer’s memory and send it to a remote Command and Control (C2) server operated by the attacker. It is a common defensive tactic for POS systems to lock down HTTP protocol so that malware cannot connect to their C2 server using that protocol. Alina POS malware is now using DNS requests for communications since DNS protocols are not commonly blocked because a variety of Windows services require this for the basic operation of the machine. In a report from IT services company CenturyLink, it was found that the Alina malware is encoding card data and other messages into DNS requests and sending it to their C2 server. The malware encrypts and encodes data as a DNS request referencing a subdomain for one of four domains. The four domains are: analytics-akadns[.]com, akamai-analytics[.]com, akamai-information[.]com, akamai-technologies[.]com.
12 Essentials for a Successful SOC Partnership
As cyber threats continue to impact businesses of all sizes, the need for round-the-clock security