Discovered in January 2018 by Forcepoint researchers, UDPoS masquerades as updates for LogMeIn remote access software, using the initial file update.exe to deliver the additional payloads of LogmeinServicePack_5.115.22.001.exe and logmeinmon.exe. Once a PoS terminal is infected, UDPoS creates a new system service to maintain persistence and then launches a component to monitor for sensitive payment card data. It uses a basic encryption and encoding method to obfuscate various strings sych as the C2 server, filenames, and process names to evade detection. It also terminates itself if it detects the presence of antivirus software or a virtual machine on the infected system. Once it locates payment card data, UDPoS makes one HTTP request to determine the infected system's external IP address and then exfiltrates that data by generating UDP-based DNS traffic.
Reporting and Technical Details:
- February 2018: UDPoS - Exfiltrating Credit Card Data via DNS (Forcepoint)