Background

Point of sale (PoS) systems remain a tempting target for threat actors. While corporations and other large organizations can afford private IT security teams to monitor payment data, many smaller businesses cannot. PoS systems usually send credit card data to simple computers running basic versions of Windows or Linux, increasing their attractiveness to criminals.  

UDPoS is a newly-discovered malware that preys upon credit card payment systems. It uses several deceptive tricks to infiltrate PoS systems and obtain credit card information. Once the information is collected, UDPoS uses DNS tunneling to exfiltrate the data from the system.

UDPoS Analyzed

The Cylance Threat Guidance team recently performed a detailed analysis of UDPoS.

Our tests began with the malware dropper, a self-extracting 7-zip archive file named update.exe. The archived file contains a malware service and payload. When the dropper is executed the malware payload, logmeinumon.exe, is extracted to disk. The service, LogmeinServicePack_5.115.22.001.exe, is executed by 7-zip’s RunProgram feature. The LogMeIn naming convention is likely an attempt by threat actors to camouflage the malware as legitimate remote desktop protocol (RDP) software.

The dropper self-deletes after execution, leaving the malware service to create a persistence mechanism on the host. The system locations used by UDPoS to store malicious persistence components depend upon the rights of the user executing the malware. Once persistence has been established the malware service relinquishes control to the payload.

The UDPoS payload loads itself into memory and then performs a check for existing antivirus (AV) solutions. This check contains buggy code which successfully identifies only one of four AV libraries. The malware then creates an ID file, hdwid.dat, for storing stolen data. UDPoS then launches five threads which perform the heavy-lifting for the malware:

  •        Thread 1 – gathers system information  
  •        Thread 2 – initializes command and control (C2) communication and obtains the victim's external IP address 
  •        Thread 3 – systematically pings the C2 server 
  •        Thread 4 – scrapes the memory of running processes to extract track 1 and track 2 credit card data 
  •        Thread 5 – sends exfiltrated data to the C2 server via DNS tunneling 

For an in-depth look at how UDPoS operates, read this entry on our Cylance Threat Spotlight blog.

Why is UDPoS Important and Why Should I be Concerned?

Anyone accepting credit card payments through a PoS system should be concerned with keeping their customer’s data secure. UDPoS steals track 1 and track 2 credit card data. Track 1 data includes customer information, card number, and three-digit CVV2 code. Track 2 data contains magnetic stripe information useful for creating physical clones of compromised cards.

 Loss of customer credit card data proved exceptionally damaging to the reputations and finances of major retailers like Target and Home Depot. It is unlikely smaller businesses could survive the costs of UDPoS stealing their customer’s credit card data and delivering it to criminals.

Cylance Stops UDPoS

UDPoS is another threat that Cylance could prevent before the malware was engineered. This was demonstrated by our Threat Research team, who took a nearly two-year-old version of CylancePROTECT® and tested it against UDPoS. Once again, the artificial intelligence and machine learning-driven CylancePROTECT agent was up to the task of predicting and preventing this threat long before it appeared in the wild.

Other companies offer reactive protections from previously identified malware. Cylance predicts and prevents security breaches from the threats of today and unknown threats of tomorrow.