ConclusionDiscovering a unique piece of malware is a rare event these days and UDPoS, while unusual, is not a new concept.dat and saves a hash of the trp message to udwupd. Interestingly, this second service component was named ‘Intel Upgrade Services’ and apparently intended to masquerade as an Intel update as opposed to a LogMeIn update. That said, the method used in this sample does appear to get the job done.bat process, while ‘ping’ is a heartbeat message sent to the C2 every 60 minutes. However, enabling reporting on your credit card activity (many banks offer SMS, Push, and email alerts) can greatly reduce the time of discovery – and therefore recovery – if abuse does occur.All five message types are logged to the {Machine ID}.is always 15 characters long,is taken from a set of pre-defined strings, and the actual message components "xxxx" can vary in length, but never exceed 31 characters.These efforts revealed another service component, but unfortunately not the corresponding monitor nor the parent 7-Zip SFX archive. Whether this is a sign that authors of the malware were not successful in deploying it at first or whether these are two different campaigns cannot be fully determined at this time due to the lack of additional executables.exe -The malware further logs this process name to a file called sinf.For many businesses, the situation may not be much better: legacy PoS systems are often based on variations of the Windows XP kernel and, in large retailers, may be present on hundreds or even thousands of devices.kdl, presumably for the purpose of keeping track of whats already been submitted to the C2 server.dat file prior to transmission. By identifying and reacting to these patterns, businesses – both PoS terminal owners and suppliers - can close down this sort of attack sooner.

Detection rates for the malware are still very low for the monitor component at the time of writing. These processes are checked against an embedded and pre-defined blacklist of common system process and browser names with only ones not present on the list being scanned.Whether this China bottling machine Suppliers is intended for use later for lateral movement is unclear, but this information alone would be sufficient to treat this executable as malicious: the network map, list of running processes and list of installed security updates is highly valuable information.Forcepoint’s analysis identified five possible values for the {Message Type} field: bin, info, ping, trp, and note. Nearly all companies have firewalls and other protections in place to monitor and filter TCP- and UDP-based communications, however DNS is still often treated differently providing a golden opportunity to leak data.DNS Comms & Post Setup FunctionalityAfter the initial HTTP request to determine its external IP address, the monitor component appears to communicate exclusively via fake DNS requests, all of which follow the format{Machine ID}.TimelinesAs the underlying intent of the malware became clear to, Forcepoint attempted to identify further samples from the same family to determine whether this was something new (and possibly still being tested before deployment) or part of an ongoing campaign. Visibility is always an issue when it comes to non-traditional malware: samples which do not target standard endpoints or servers can quite easily be missed because of the lack of focus on protecting these sorts of systems.

While Windows POSReady is in extended support until January 2019, it is still fundamentally an operating system which is seventeen years old this year.Design Decisions and Detection RateThe coding style and techniques seen within the malware can hardly be described as outstanding. Beyond the faulty evasion code noted above, using data files written to disk instead of working predominantly in memory – besides leaving unnecessary trails – is rarely the trademark of bleeding edge malware and, equally, there are more advanced ways of fingerprinting a PC and generating a report.dat, the number of total processes with successful extraction to hdwid.As UDPoS highlights, exfiltrating stolen credit card data can and will result in unusual patterns of activity on the machines (DNS traffic in this case).Info messages - as its name suggests - are purely informational and are despatched alongside ping messages:{PCNAME}; {USERNAME}; [NS:IP {C2URL}:{C2IP}]The note and trp message types required further analysis and relate to the core functionality of the malware.jpg by the infobat. Investigating the functionality spread across the additional threads revealed a process designed to collect Track 1 and Track 2 payment card data by scraping the memory of running processes.

The overall impression is of a piece of malware inspired by the success of (and some of the better ideas and techniques employed by) its predecessors.Based on the compilation dates of the executables, the Intel-themed sample was created about two weeks prior to the LogMeIn one.If Track 1/2 data is found in memory it will be extracted as is, converted to and sent as a trp message.On the other hand, DNS-based communication and data exfiltration is genuinely unusual – although not unique – and can be quite effective. A note message will be also generated and transmitted with the following content:[IP: (redacted)] - String found in: processname..The ‘bin’ messages are used to transmit the initial burst of data gathered into PCi. There have been several Point of Sale malware families identified over the past few years, all with the same goal: harvesting credit card data on a large scale – consider how many different cards may be used in stores, bars, or restaurants across the course of a day, let alone weeks or months.From a consumer standpoint, protecting oneself against this sort of threat can be a tricky proposition for individuals: a PoS terminal could conceivably remain infected for significant lengths of time