Alina Point-of-Sale Malware Spotted in Ongoing Campaign

alina pos dns tunneling

The malware is using DNS tunneling to exfiltrate payment-card data.

A venerable point-of-sale (POS) malware called Alina that’s been around since 2012 is back in circulation, with a new trick for stealing credit- and debit-card data: Domain Name System (DNS) tunneling.

DNS is the mechanism by which numeric IP addresses are linked to website names; DNS translates human-readable domain names to IP addresses so browsers can load internet resources. Researchers at Black Lotus Labs spotted a still-ongoing campaign that began in April, in which cyberattackers employed Alina to siphon off payment-card information, then used DNS to exfiltrate it.

“To do this, malware authors encode the stolen information and issue a DNS query to the actor-controlled domain name,” according to the researchers’ analysis, issued on Wednesday. “The encoded data is placed in a subdomain, which the malicious actors then extract when they receive the DNS query. The stolen data is subsequently sold in underground criminal markets.”

In the most recent campaign, four domains showed similar, suspicious DNS queries that turned out to lead back to Alina: analytics-akadns[.]com; akamai-analytics[.]com; akamai-information[.]com; and akamai-technologies[.]com.

A suspicious-looking fifth domain, sync-akamai[.]com, was unused, but it was hosted on the same IP, according to the researchers.

“Actors often register multiple domains to provide redundancy if one or more of the malicious domains is blocked,” according to the analysis.

The volume of queries that Black Lotus Labs observed to each of the C2 domains saw a marked increase in traffic to all the domains, especially akamai-technologies[.]com, beginning in May. Researchers said that the increase in traffic is due to queries originating from a single victim from the financial services industry.

Source: Black Lotus

Each of the DNS queries uncovered are either checking in with the C2, or they contain credit-card information.

“The queries that contain credit card numbers contain an executable name in the field following the location or descriptor field,” according to Black Lotus. “This appears to be the process which the malware identified as containing the credit-card information in memory. Earlier samples of the malware either contained a list of processes to examine, or examined every process running except for those contained in a list of processes to ignore.”

Alina can attack physical POS devices as well as computers running POS software.

“During the credit-card transaction, the data is typically decrypted and is temporarily in the POS software’s memory in unencrypted form,” according to researchers. “The malware searches the RAM of the POS device for this unencrypted credit-card information and sends it back to a command-and-control (C2) server. To ensure that only real credit-card data is found when searching the RAM of the device, the malware verifies that the last digit of the card number is the correct check digit using the Luhn checksum algorithm.”

The use of DNS isn’t unusual – it’s a popular choice for malware authors to bypass security controls and exfiltrate data from protected networks, researchers pointed out. It’s a new trick for Alina however – its operators are banking (no pun intended) that while credit-card processing occurs in highly restricted environments, DNS often goes unmonitored.

“While earlier samples of the malware used HTTPS or a combination of HTTPS and DNS for the exfiltration of the stolen credit-card information, samples seen starting in late 2018 use DNS exclusively for communication,” researchers said.

BEC and enterprise email fraud is surging, but DMARC can help – if it’s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, “DMARC: 7 Common Business Email Mistakes.” This technical “best practices” session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. Click here to register for this Threatpost webinar, sponsored by Valimail.

Suggested articles