Malware uses the DNS to scrape credit card numbers from POS system

Windows POS malware dubbed Alina steals credit card data from victims using the DNS tunneling

POS malware Alina stealing credit card dataAlina POS malware relies on DNS to evade detection and exfiltrate stolen data from victims. Researchers revealed that a new malware campaign involves Alina point-of-sale malware that gathers credit card data from unsuspected victims.[1] Malware was discovered using the DNS protocol to gather information about credit cards to a remote server that attackers control. Researchers determine that Domain Name System function allows the stolen data exploitation via an outbound communication channel.

Windows-based point of sales system[2] received malware injections, so payments transferred using credit cards can be monitored. Infection can scrape data when the payment is processed on a remote terminal or the local payment machine. Then the memory is copied and sent to the remote C&C server. Such information can be used to make fraudulent purchases, clone the credit card directly, sell those details on the dark web.

Alina POS malware is not new since it was discovered back in 2012.[3] Apparently criminals are not done with this malware strain since the virus has been around for a long time and is distributed with new tactics. The investigators now warn people about the renewed circulation of this threat and the new trick called DNS tunneling that allows attackers to steal data.

Evading anti-malware detection

The key findings of the analysis showed that this POS malware relied on the DNS to avoid detection and to bypass any security controls while distributing and stealing data. At least four domains showed the same DNS queries and another site was found on the same IP, but unused. It is common for hackers to register more domains, in case one fo the used ones get blocked. Also, it was disclosed that Alina malware can encode files, so the exfiltration of the stolen data was definitely confirmed.[4]

When POS systems get secured, it is common to lock them and allow the connection to specific protocols only. These restrictions include HTTP protocols, so POS can't connect to web servers, for example. These measures should prevent malware from accessing the C&C servers for sending stolen data. But this DNS protocol is not commonly blocked since it is required for various Windows services and general operations.

Alina malware added the function to use the encoded DNS requests to communicate with the server. Machine-learning models detected these unusual queries to a particular domain in April, so the POS malware was discovered.

The theft was discovered after one of Black Lotus Labs' machine-learning models flagged unusual queries to a specific domain in April.

Microsoft releases urgent patches to avoid attacks

Credit card processing systems typically run in the Windows operating system environment, so malware creators can rely on existing techniques. These issues are concerning because Microsoft and Windows OS, in particular, devices have many issues and vulnerabilities that hackers can exploit.

Microsoft quietly released the software update that patches two critical flaws that can affect hundreds of millions of Windows 10 users. This out-of-band update release provides patches and comes two weeks earlier than the Patch Tuesday Updates.[5]

Those bugs can become an easy attack vector, so it is especially important to patch remote execution bogs to avoid unwanted behavior and damage. Customers, fortunately, do not need to take any action to receive the update because it happens through the Windows Store app automatically.

About the author
Julie Splinters
Julie Splinters - Anti-malware specialist

Julie Splinters is the News Editor of 2-spyware. Her bachelor was English Philology.

Contact Julie Splinters
About the company Esolutions