Posted on July 3, 2020 at 1:40 PM
Security researchers at CenturyLink discovered that hackers have increased the capabilities of the Alina point-of-sale malware, as it now uses DNS tunneling to steal credit card data.
In a blog post by the CenturyLink researchers, they said the Alina malware was initially thought to have gone extinct after it was discovered in 2012. But the malware is back again. The earlier operational method of the malware was the use of a combination of DNS and HTTPS or only HTTPS to steal credit card information. However, the most recent sample discovered by the researchers only utilizes DNS for communication.
The researchers utilized a machine learning model to flag off queries to the akamai-technologies[.]com. domain. Once they decoded the data found within the subdomains of the queries, they discovered credit card details the Alina POS malware was stealing.
Earlier in April, researchers discovered that all the domains, particularly the akamai-technologies.com domain have witnessed an increased level of traffic.
“This increase in traffic is due to queries originating from a single victim from the financial services industry,” researchers pointed out.
They discovered that the DNS queries to the C2 domains are type A queries, which means they expect an ipv4 reply.
The malware utilizes DNS to steal data
After analyzing the data, the researchers revealed that the malware was stealing credit card details using the DNS protocol. It then sends the stolen data to a remote server controlled by the hackers.
CenturyLink researchers are now warning users that the malware is now back in operation with a new method known as DNS tunneling. The new method enables hackers to steal credit card data from unsuspecting victims.
The researchers also discovered the domains the Alina malware was utilizing to send messages to the C2 servers through DNS. When the malware communicates with the C2 servers, it encodes DNS queries and attaches them to a domain to make it look like a subdomain.
When the DNS query is sent to the C2 server, it decodes the encoded subdomain to extract either the PING command or the stolen card data, informing the actors that the malware is still operational on the system. The four domains the researchers uncovered showed the same DNS queries.
The malware also makes use of an algorithm to ensure it is stealing genuine payment card data from the target computer’s RAM.
After stealing the data, the actors send a DNS query to a domain they control. Subsequently, the malware places the encoded data to the subdomain, making it easier for the actors to extract, according to the report.
The stolen data include credit card numbers, their expiration dates, and a 7-digit number the researchers are yet to decode. Most times, they sell the stolen card details on the darknet.
POS malware posing serious security threats
There is other malware utilizing DNS protocols to steal and send data to remote servers. Earlier in the year, researchers discovered a new Mozart backdoor malware that was using DNS TXT records to communicate with C2 domains.
CenturyLink researchers said malware authors usually use DNS when they want to evade security systems and steal data from protected networks.
They also said POS malware is increasingly posing serious security threats, as malicious actors try to bypass security protocols by regularly updating their malware.
It was observed by the Black Lotus Labs researchers that the volume of DNS queries increased in January and continued through May.
Alina resurfacing with an improved version
The Alina malware was initially uncovered in 2012, as it was used by cybercriminals to launch attacks on U.S. retailers. Since then, those behind it have improved on the capabilities of the malware, including the procedures and techniques of attack. The malware is now more difficult to detect due to the improvement made by the developers.
The researchers advised that all organizations should increase the monitoring systems of their DNS traffic to easily detect suspicious queries and stop any imminent attack.