Alina point-of-sale malware using DNS to steal credit card info

News by Rene Millman

DNS tunnelling used to exfiltrate data from retail systems - primarily stolen credit card information.

Security researchers have discovered that hackers have bolstered the capabilities of the Alina point-of-sale malware to steal credit card data using DNS tunnelling.

According to a blog post by CenturyLink, the Alina malware has resurfaced after it was first discovered in 2012. In earlier samples, the malware used HTTPS or a combination of HTTPS and DNS for the exfiltration of the stolen credit card information. The latest sample now only uses DNS for communication.

Researchers at CenturyLink’s Black Lotus Labs used one of its machine learning models that flagged unusual queries to the domain akamai-technologies[.]com. Upon decoding the information contained in the subdomains of these queries, they uncovered what was revealed to be credit card information being exfiltrated by the Alina Point of Sale (POS) malware.

In April this year, researchers noticed that there had been an increase in traffic to all the domains, especially, since the beginning of May.

“This increase in traffic is due to queries originating from a single victim from the financial services industry,” researchers said.

The DNS queries to the C2 domains are all type A queries, meaning they are expecting an ipv4 response. Researchers spotted that they all have random-looking subdomains.

After analysis, researchers concluded that the malware was using the DNS protocol to steal credit card data and send this information to a remote server operated by hackers.

“Each of the DNS queries uncovered are either checking in with the C2, such as the “Ping” query above, or they contain credit card information. The queries that contain credit card numbers contain an executable name in the field following the location or descriptor field. This appears to be the process which the malware identified as containing the credit card information in memory,” said researchers.

Researchers said that DNS is a popular choice for malware authors to bypass security controls and exfiltrate data from protected networks. “Point of Sale malware continues to pose a serious security threat, and malicious actors regularly update their malware in efforts to evade detection,” they added.

Researchers warned organisations to monitor DNS traffic for anomalous activities in order to prevent similar attacks.

Javvad Malik, security awareness advocate at KnowBe4, told SC Media UK that Alina has been around for a while, and this latest evolution shows the group behind it is not slowing down anytime soon.

“PoS malware comes in various guises therefore it's important organisations take time to understand the risks and take measures to reduce the likelihood of the attacks being successful. This can include using threat intelligence to check for IOCs, securing remote access, enabling EMV technologies, and turning on monitoring across the network as well as behavioural monitoring,” he said.

“For Alina specifically, the monitoring needs to look at DNS traffic to spot any unusual or unexpected activity and have response controls built in to take remedial action."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews