UDPoS malware spotted in the wild

March 23, 2018


The SonicWall Capture Labs Threat Research Team observed a new POS malware Called UDPOS [UDPOS.A].

UDPOS is a newly-discovered malware that preys upon credit card payment systems. UDPoS uses DNS tunneling to exfiltrate the data from the system.

Infection Cycle:

The Malware adds the following files to the system:

  • Malware.exe
    • C:\WINDOWS\system32\LogMeInUpdService\hdwid.dat [Machine ID]
    • C:\WINDOWS\system32\LogMeInUpdService\sinf.dat [Process Name Logs ]
    • C:\WINDOWS\system32\LogMeInUpdService\[Rndom Number].dat [ Track Data ]
    • C:\WINDOWS\system32\LogMeInUpdService\infobat.bat [ Net Commands ]
    • %Userprofile%\Local Settings\Temp\7ZSfx000.cmd [ Wipe Commands ]

Once the computer is compromised, the malware creates a new system service to maintain persistence and then launches a component to monitor for sensitive payment card data.

The malware adds the following keys to the Windows registry to ensure persistence upon reboot:

The malware uses a basic encryption and encoding method to obfuscate various strings such as the C&C server, filenames, and process names to evade detection.

The malware terminates itself if it detects the presence of antivirus software or if debugger is presents on the infected system.

The Malware retrieves a list of running processes; the malware is responsible for scraping the memory of current processes on the infected machine for credit card information periodically. The malware tries to Enumerate Credit Card Data from POS Software with following API functions:

The malware logs POS process name into sinf.dat file:

The malware generates random identifier for the target machine and saves into hdwid.dat file:

Once it locates payment card data, the Malware makes one HTTP request to determine the infected system's external IP address.

Once the public IP is acquired, the malware tries to verify Credit Cards numbers and then sends track 1 and track 2 credit card data in encrypted format to one of the given C&C Servers based on DNS Traffic format such as following example:

Sonicwall Capture Labs provides protection against this threat via the following signature:

  • GAV: UDPOS.A (Trojan)