DNS ‘tunnelling’ used to take data from retail systems – mostly stolen credit card information.
Security researchers have found that hackers have increased the capabilities of the Alina point-of-sale malware in order to steal credit card data using DNS tunnelling.
Says a blog post from CenturyLink, the Alina malware has re-occurred after it was first discovered in 2012. In earlier samples, the malware used HTTPS or a combination of HTTPS & DNS for the removal of the stolen credit card information. The latest version now only uses DNS for communication.
Decoding
Researchers at CenturyLink’s Black Lotus Labs used one of its machine-learning models that highlighted unusual queries to the domain akamai-technologies[.]com.
When decoding the information contained in the subdomains of these queries, they uncovered what was revealed to be credit card information being exfiltrated by the Alina Point of Sale (POS) malware.
Akamai
In April, it was noticed that there had been an increase in traffic to all the domains, especially akamai-technologies.com, since early May.
“This increase in traffic is due to queries originating from a single victim from the financial services industry,” researchers observed.
Type A Queries
The DNS queries to the C2 domains are all type A queries, meaning they are expecting an ipv4 response. Researchers saw that they all have random-looking subdomains.
After analysis, it was concluded that the malware was using the DNS protocol to steal credit card data & send this information to a remote server operated by hackers.
“Each of the DNS queries uncovered are either checking in with the C2, such as the “Ping” query above, or they contain credit card information.
The queries that contain credit card numbers contain an executable name in the field following the location or descriptor field. This seems to be the process which the malware identified as containing the credit card information in memory,” explained researchers.
Bypass
It is explained that DNS is a popular choice for malware authors to bypass security controls & exfiltrate data from protected networks. “Point of Sale malware continues to pose a serious security threat, & malicious player regularly update their malware in efforts to evade detection,” they added.
Organisations were warned to monitor DNS traffic for ‘anomalous activities’ in order to stop similar attacks.
Javvad Malik, Security Awareness Advocate at KnowBe4, further explained that Alina has been around for a while, & this latest evolution shows the group behind it is not slowing down anytime soon.
IOCs
“PoS malware comes in various guises therefore it’s important organisations take time to understand the risks & take measures to reduce the likelihood of the attacks being successful.
This can include using threat intelligence to check for IOCs, securing remote access, enabling EMV technologies, & turning on monitoring across the network as well as behavioural monitoring,” he said.
“For Alina specifically, the monitoring needs to look at DNS traffic to spot any unusual or unexpected activity and have response controls built in to take remedial action.”
