DMSniff POS Malware Uses DGA to Stay Active

Written by

Researchers have discovered a rare strain of POS malware which uses a domain generation algorithm (DGA) to maintain persistence.

Flashpoint’s Jason Reaves and Joshua Platt revealed in a blog post that the DMSniff malware may have been in use undetected for as long as four years, targeting small and mid-sized businesses in the restaurant and entertainment sectors.

DGAs are used to evade detection and takedown by creating large numbers of new C&C domains on an ongoing basis.

The duo said they have found 11 variants of the DGA in DMSniff, claiming such a feature is unusual in POS malware.

It’s also not the only tactic the malware authors have used to protect it from investigators. Another discovered by Reaves and Platt was a simple string encoding routine designed to prevent researchers from understanding the malware’s capabilities.

“Flashpoint analysts believe attackers using DMSniff could be gaining an initial foothold on devices either by using brute-force attacks against SSH connections, or by scanning for vulnerabilities and exploiting those,” they added.

“For the data theft portion of the POS, the bot is simplistic because it comes with an onboard list of process names to avoid; it will use this list while looping through the process tree. Each time it finds an interesting process, it will loop through the memory sections to attempt to find a credit card number. Once a number is found, the bot will take the card data and some of the surrounding memory, packages it, and sends it to the C2.”

The findings highlight the ongoing threat to US businesses from POS malware, despite the growing prevalence of EMV cards and machines across the country, which are designed to thwart these kinds of attack.

It seems malware authors are betting on smaller businesses not having rolled out EMV, or misconfiguring it.

Back in February, restaurant chain Huddle House revealed it had been the victim of a major POS breach, while later that month a POS solutions provider was hacked, leading to malware being installed on a range of its clients’ systems.

What’s hot on Infosecurity Magazine?