Alina POS malware now using DNS tunnelling to steal payment cards data
Alina POS malware is back in circulation, now using DNS tunnelling to steal card details from unsuspecting victims
Researchers at CenturyLink's Black Lotus Labs have uncovered a new campaign that is using added capabilities in Alina point-of-sale (POS) malware to steal payment cards' data from unsuspecting victims.
POS malware, when installed on a point-of-sale system, enables hackers to monitor payments performed using credit cards. The malware scrapes the credit card data from the system's memory and sends it to a remote command and control (C2) server being operated by the hackers.
Alina POS malware is not a new species. It was first discovered in 2012, according to researchers, and its earlier versions used HTTPS or a combination of HTTPS and domain name system (DNS) to exfiltrate the stolen credit card information from POS systems to its operators.
CenturyLink researchers now warn that Alina POS malware is back in circulation, with a new trick called DNS tunnelling that enables hackers to steal card details from unsuspecting victims.
The theft was noticed after a machine-learning model developed at Black Lotus Labs flagged some odd queries to a particular domain in April 2020. After analysing those queries, the researchers arrived at the conclusion that Alina malware was using DNS protocol to exfiltrate stolen cards' details to a remote server under the attackers' control.
The researchers also found domains that Alina malware was using to communicate with its C2 servers over DNS. When Alina malware communicated with C2 servers, it would encode DNS queries and attach them to a domain as if they were a subdomain.
When C2 server received a DNS query, it would decode the encoded subdomain to extract either the stolen card data or a PING command, telling malicious actors that the malware was still running on the system.
According to researchers, all four domains they discovered showed similar DNS queries.
Alina is not the only malware using DNS protocol to exfiltrate data to remote servers. Earlier this year, researchers warned organisations of new Mozart backdoor malware that was seen utilising DNS TXT records for C2 communication.
"DNS is a popular choice for malware authors to bypass security controls and exfiltrate data from protected networks," CenturyLink researchers state in their report.
"Point of sale malware continues to pose a serious security threat, and malicious actors regularly update their malware in efforts to evade detection," they write,
The researchers recommend that all organisations monitor their DNS traffic for suspicious queries to prevent such attacks.
More on Threats and Risks
US Cyber Command warns organisations of critical vulnerability in Palo Alto Networks products
Foreign APTs will likely attempt to exploit the bug soon, it says
Campaigners urge Johnson to reform Computer Misuse Act to make it fit for modern digital era
The law currently hinders cyber security research in Britain, campaigners argue in an open letter to the PM
'Ripple20' security vulnerabilities in TCP/IP software library impact millions of connected devices
Nineteen bugs have been discovered so far in Treck software affecting connected printers, insulin pumps, smart home devices, power-grid equipment, industrial-control gears, routers, communications equipment commercial aircraft and data centre devices...
One in three Britons targeted by scammers since the start of coronavirus crisis, Citizens Advice reveals
Legal charity has seen a 19 per cent spike in the number of visitors coming to its website in recent months looking for advice from experts
Earth Empusa threat group distributing Android 'ActionSpy' spyware to target minority group in Tibet and Turkey
ActionSpy supports numerous modules which enable hackers to collect confidential information from compromised devices, including device IMEI, user phone number and contacts
Most read
