Malware hides as LogMein DNS traffic to target point of sale systems

Updated: A new strain of unusual malware disguises itself as a LogMeIn service pack to hide suspicious traffic.
Written by Charlie Osborne, Contributing Writer

A new strain of point-of-sale (PoS) malware is disguising itself as a LogMeIn service pack to hide the theft of customer data.

On Thursday, Forcepoint researchers Robert Neumann and Luke Somerville said in a blog post that a new malware family, dubbed UDPoS, attempts to disguise itself as legitimate services to avoid detection while transferring stolen data.

A sample of the malware recently uncovered by the cybersecurity firm masquerades as a LogMeIn function. LogMeIn is a legitimate remote access system used to manage PCs and other systems remotely.

This fake 'service pack' generated "notable amounts of 'unusual' DNS requests," according to the team and upon further investigation, it was found that the fake LogMein system was actually PoS malware.

PoS malware lurks in systems where credit card information is processed and potentially stored, such as in shops and restaurants. If a point-of-sale system is infected, malware such as DEXTER or BlackPOS will steal the payment card data contained on credit card magnetic strips, before sending this information to its operator through a command and control (C&C) server.

This information can then be used to create dupe cards from banks, wipe bank accounts, and potentially may also be used in identity theft.

In 2013, US retailer Target was the victim of PoS malware and the credit card information of roughly 110 million customers was stolen.

In what Forcepoint calls an occasional needle in a "digital haystack," the new UDPoS malware uses LogMein-themed filenames and C&C URLs to hide its DNS-based traffic.

A sample of the malware, called logmeinumon.exe, links to a C&C server hosted in Switzerland and contains a dropper and self-extracting archives which extracts content to temp directories.

A LogMeInUpdService directory is also created together with a system service to enable persistence, and then a monitoring component comes into play.

"This monitoring component has an almost identical structure to the service component," the researchers say. "It's compiled by the same Visual Studio build and uses the same string encoding technique: both executables contain only a few identifiable plain-text strings, and instead use a basic encryption and encoding method to hide strings such as the C2 server, filenames, and hard-coded process names."

The monitoring component not only keeps an eye on infected system processes but also checks for antivirus protections and virtual machines.

Any data up for grabs, such as customer card information, is then collected and sent through DNS traffic disguised as LogMein.

"Nearly all companies have firewalls and other protections in place to monitor and filter TCP- and UDP-based communications, however, DNS is still often treated differently providing a golden opportunity to leak data," the researchers note.

See also: Starwood hotels fall prey to point of sale malware

Forcepoint emphasizes that the use of LogMein themes is simply a way to camouflage the malware's activities, and after disclosing the findings to the remote software firm, no evidence has been found of product or service abuse.

It is not yet known whether or not this malware is being used in the wild, but the malware's compilation timestamps are recorded as 25 October 2017, so this may be a relatively new campaign.

However, the researchers say that there is evidence of an "earlier Intel-themed variant," which suggests UDPoS may be the next evolution in operational malware which has been tweaked to become more successful and target fresh victims.

Update 14.27GMT: LogMein provided the following statement:

"This link, file or executable is not provided by LogMeIn and updates for LogMeIn products, including patches, updates, etc., will always be delivered securely in-product.
You will never be contacted by us with a request to update your software that also includes either an attachment or a link to a new version or update."

10 things you didn't know about the Dark Web

Previous and related coverage

Editorial standards