Alina Point-of-Sale Malware Spotted in Ongoing Campaign

The malware is using DNS tunneling to exfiltrate payment-card data.

A venerable point-of-sale (POS) malware called Alina that’s been around since 2012 is back in circulation, with a new trick for stealing credit- and debit-card data: Domain Name System (DNS) tunneling.

DNS is the mechanism by which numeric IP addresses are linked to website names; DNS translates human-readable domain names to IP addresses so browsers can load internet resources. Researchers at Black Lotus Labs spotted a still-ongoing campaign that began in April, in which cyberattackers employed Alina to siphon off payment-card information, then used DNS to exfiltrate it.

“To do this, malware authors encode the stolen information and issue a DNS query to the actor-controlled domain name,” according to the researchers’ analysis, issued on Wednesday. “The encoded data is placed in a subdomain, which the malicious actors then extract when they receive the DNS query. The stolen data is subsequently sold in underground criminal markets.”

In the most recent campaign, four domains showed similar, suspicious DNS queries that turned out to lead back to Alina: analytics-akadns[.]com; akamai-analytics[.]com; akamai-information[.]com; and akamai-technologies[.]com.

A suspicious-looking fifth domain, sync-akamai[.]com, was unused, but it was hosted on the same IP, according to the researchers.

“Actors often register multiple domains to provide redundancy if one or more of the malicious domains is blocked,” according to the analysis.

The volume of queries that Black Lotus Labs observed to each of the C2 domains saw a marked increase in traffic to all the domains, especially akamai-technologies[.]com, beginning in May. Researchers said that the increase in traffic is due to queries originating from a single victim from the financial services industry.

__Source: Black Lotus

Each of the DNS queries uncovered are either checking in with the C2, or they contain credit-card information.

“The queries that contain credit card numbers contain an executable name in the field following the location or descriptor field,” according to Black Lotus. “This appears to be the process which the malware identified as containing the credit-card information in memory. Earlier samples of the malware either contained a list of processes to examine, or examined every process running except for those contained in a list of processes to ignore.”

Alina can attack physical POS devices as well as computers running POS software.

“During the credit-card transaction, the data is typically decrypted and is temporarily in the POS software’s memory in unencrypted form,” according to researchers. “The malware searches the RAM of the POS device for this unencrypted credit-card information and sends it back to a command-and-control (C2) server. To ensure that only real credit-card data is found when searching the RAM of the device, the malware verifies that the last digit of the card number is the correct check digit using the Luhn checksum algorithm.”

The use of DNS isn’t unusual – it’s a popular choice for malware authors to bypass security controls and exfiltrate data from protected networks, researchers pointed out. It’s a new trick for Alina however – its operators are banking (no pun intended) that while credit-card processing occurs in highly restricted environments, DNS often goes unmonitored.

“While earlier samples of the malware used HTTPS or a combination of HTTPS and DNS for the exfiltration of the stolen credit-card information, samples seen starting in late 2018 use DNS exclusively for communication,” researchers said.

#malware #akamai #alina #analysis #black lotus #point of sale

What is GEEK

Buddha Community

Alina Point-of-Sale Malware Spotted in Ongoing Campaign

Isabell Gracia

1612426721

hi,
I have checked so many website, your website is very amazing. you should try this
website

Alina Point-of-Sale Malware Spotted in Ongoing Campaign

The malware is using DNS tunneling to exfiltrate payment-card data.

A venerable point-of-sale (POS) malware called Alina that’s been around since 2012 is back in circulation, with a new trick for stealing credit- and debit-card data: Domain Name System (DNS) tunneling.

DNS is the mechanism by which numeric IP addresses are linked to website names; DNS translates human-readable domain names to IP addresses so browsers can load internet resources. Researchers at Black Lotus Labs spotted a still-ongoing campaign that began in April, in which cyberattackers employed Alina to siphon off payment-card information, then used DNS to exfiltrate it.

“To do this, malware authors encode the stolen information and issue a DNS query to the actor-controlled domain name,” according to the researchers’ analysis, issued on Wednesday. “The encoded data is placed in a subdomain, which the malicious actors then extract when they receive the DNS query. The stolen data is subsequently sold in underground criminal markets.”

In the most recent campaign, four domains showed similar, suspicious DNS queries that turned out to lead back to Alina: analytics-akadns[.]com; akamai-analytics[.]com; akamai-information[.]com; and akamai-technologies[.]com.

A suspicious-looking fifth domain, sync-akamai[.]com, was unused, but it was hosted on the same IP, according to the researchers.

“Actors often register multiple domains to provide redundancy if one or more of the malicious domains is blocked,” according to the analysis.

The volume of queries that Black Lotus Labs observed to each of the C2 domains saw a marked increase in traffic to all the domains, especially akamai-technologies[.]com, beginning in May. Researchers said that the increase in traffic is due to queries originating from a single victim from the financial services industry.

__Source: Black Lotus

Each of the DNS queries uncovered are either checking in with the C2, or they contain credit-card information.

“The queries that contain credit card numbers contain an executable name in the field following the location or descriptor field,” according to Black Lotus. “This appears to be the process which the malware identified as containing the credit-card information in memory. Earlier samples of the malware either contained a list of processes to examine, or examined every process running except for those contained in a list of processes to ignore.”

Alina can attack physical POS devices as well as computers running POS software.

“During the credit-card transaction, the data is typically decrypted and is temporarily in the POS software’s memory in unencrypted form,” according to researchers. “The malware searches the RAM of the POS device for this unencrypted credit-card information and sends it back to a command-and-control (C2) server. To ensure that only real credit-card data is found when searching the RAM of the device, the malware verifies that the last digit of the card number is the correct check digit using the Luhn checksum algorithm.”

The use of DNS isn’t unusual – it’s a popular choice for malware authors to bypass security controls and exfiltrate data from protected networks, researchers pointed out. It’s a new trick for Alina however – its operators are banking (no pun intended) that while credit-card processing occurs in highly restricted environments, DNS often goes unmonitored.

“While earlier samples of the malware used HTTPS or a combination of HTTPS and DNS for the exfiltration of the stolen credit-card information, samples seen starting in late 2018 use DNS exclusively for communication,” researchers said.

#malware #akamai #alina #analysis #black lotus #point of sale

Brain  Crist

Brain Crist

1597899600

Researchers Warn of Active Malware Campaign Using HTML Smuggling

An active campaign has been spotted that utilizes HTML smuggling to deliver malware, effectively bypassing various network security solutions, including sandboxes, legacy proxies and firewalls.

Krishnan Subramanian, security researcher with Menlo Security, told Threatpost that the campaign uncovered on Tuesday, dubbed “Duri,” has been ongoing since July.

It works like this: The attackers send victims a malicious link. Once they click on that link, a JavaScript blob technique is being used to smuggle malicious files via the browser to the user’s endpoint (i.e., HTML smuggling). Blobs, which mean “Binary Large Objects” and are responsible for holding data, are implemented by web browsers.

Because HTML smuggling is not necessarily a novel technique — it’s been used by attackers for awhile, said Subramanian — this campaign shows that bad actors continue to rely on older attack methods that are working. Learn more about this latest attack and how enterprises can protect themselves from HTML-smuggling attacks, during this week’s Threatpost podcast.

#malware #podcasts #web security #cloud services #coronavirus #covid #duri #html smuggling #javascript blobs #krishnan subramanian #malware #malware campaign #menlo security #pandemic

Houston  Sipes

Houston Sipes

1602723600

APT Attack Injects Malware into Windows Error Reporting

A campaign that injects malware into the Windows Error Reporting (WER) service to evade detection is potentially the work of a Vietnamese APT group, researchers said.

The attack, discovered on Sept. 17 by researchers at Malwarebytes Threat Intelligence Team, lures its victims with a phishing campaign that claims to have important information about workers’ compensation rights, according to a blog post on Tuesday by researchers Hossein Jazi and Jérôme Segura. Instead, it leads them to a malicious website that can load malware that hides in WER, they said.

“The threat actors compromised a website to host its payload and used the CactusTorch framework to perform a fileless attack, followed by several anti-analysis techniques,” researchers wrote.

WER is the crash-reporting tool of the Microsoft Windows OS, introduced in Windows XP. It’s also included in Windows Mobile versions 5.0 and 6.0.

The service runs the WerFault.exe, which is “usually invoked when an error related to the operating system, Windows features or applications happens,” researchers noted. This makes it a good cloaking mechanism for threat actors, as users wouldn’t likely to suspect any nefarious activity if the service is running, they said.

“When victims see WerFault.exe running on their machine, they probably assume that some error happened, while in this case they have actually been targeted in an attack,” Jazi and Segura wrote.

The use of this evasion tactic is not new, researchers noted, and the technique suggests a connection to the Vietnamese APT32 group, also known as OceanLotus.

“APT32 is one of the actors that is known to use CactusTorch HTA to drop variants of the Denis RAT,” researchers said. Moreover, the domain used to host malicious archives and documents is registered in Ho Chi Minh City, Vietnam, which also points to APT32, researchers noted.

That said, it’s still unclear exactly who is behind the attack because researchers did not access the final payload to examine it extensively, they said.

The attack begins as a ZIP file containing a malicious document, called “Compensation.manual.doc” that threat actors distribute through spear-phishing attacks and which purports to offer information about compensation rights for workers

“Inside we see a malicious macro that uses a modified version of CactusTorch VBA module to execute its shellcode,” researchers wrote. “CactusTorch is leveraging the DotNetToJscript technique to load a .NET compiled binary into memory and execute it from vbscript.”

#malware #web security #apt #apt32 #campaign #cyberattack #detection evasion #fileless malware #injection #kraken #malware #malwarebytes #nation state #oceanlotus #vietnam #vietnamese #windows error reporting #workers's compensation

Chet  Lubowitz

Chet Lubowitz

1595065800

Encryption Utility Firm Accused of Bundling Malware Functions

The increasingly prevalent GuLoader malware has been traced back to a far-reaching encryption service that attempts to pass as above-board.

An Italian company that sells what it describes as a legitimate encryption utility is being used as malware packer for the cloud-delivered malicious GuLoader dropper, claim researchers. The tool, according a recent investigation, creates GuLoader samples and helps the malware avoid antivirus detection.

For its part, the company claims it has taken steps to prevent bad actors from using its wares for ill.

According to researchers at Check Point, the company identified as CloudEyE is looking to take a piece of the traditional packer and crypter market – a thriving arena that caters to malware authors looking for obfuscation for their wares.

GuLoader is a widespread dropper that compromises targets and then delivers second-stage malware. It’s been constantly updated over the course of 2020, according to Check Point, with new binaries sporting sandbox evasion techniques, code randomization features, command-and-control (C2) URL encryption and additional payload encryption.

“As a result, we can reasonably assume that behind GuLoader there is a major new service” providing various forms of encryption, according to the researchers.

#cloud security #malware #check point #cloudeye #crypter #darkeye #encryption #guloader #italian company #malware #malware analysis #packer #securitycode.eu

Hal  Sauer

Hal Sauer

1593046080

Sodinokibi Ransomware Now Scans Networks For PoS Systems

Attackers are compromising large companies with the Cobalt Strike malware, and then deploying the Sodinokibi ransomware.

Cybercriminals behind recent Sodinokibi ransomware attacks are now upping their ante and scanning their victims’ networks for credit card or point of sale (PoS) software. Researchers believe this is a new tactic designed to allow attackers to get the biggest bang for their buck – ransom payments and credit card data.

The compromise of PoS software – which is commonly installed on credit card terminals at retailer stores or restaurants – is a cybercriminal favorite for siphoning credit card information from unknowing customers. In this campaign, researchers found the Sodinokibi ransomware sniffing out PoS systems on the compromised networks of three “large” unnamed companies in the services, food, and healthcare sectors.

However, it’s not yet clear whether the attackers are targeting this PoS software to encrypt it as part of the ransomware attack, or because they want to scrape the credit card information on the systems as a way to make even more money in addition to the ransomware attack.

“While many of the elements of this attack are ‘typical’ tactics seen in previous attacks using Sodinokibi, the scanning of victim systems for PoS software is interesting, as this is not typically something you see happening alongside targeted ransomware attacks,” said Symantec researchers in a Tuesday analysis. “It will be interesting to see if this was just opportunistic activity in this campaign, or if it is set to be a new tactic adopted by targeted ransomware gangs.”

#malware #web security #bruce force #cobalt strike #credit card #data theft #malware #point of sale #pos #powershell #ransomware #rdp #shell code #sodinokibi