Recently, a new malware that is POS (Point-of-sale) “Alina” has been discovered, and experts stated that it has been using the DNS protocol to exfiltrated the credit card data. 

This brand-new POS malware named Alina has been around since 2012, but now it attacks again with a new method for stealing credit and debit card data via the Domain Name System (DNS) tunneling.

According to the new intelligence report from CenturyLink’s Black Lotus Labs, Alina hasn’t performed any big event yet, but, the operators still proceed to discover new methods to use it to steal inexperienced victims’ credit and debit card data.

Alina POS Uses DNS to Circumvent Detection

The experts of Black Lotus Lab claimed that, while securing the POS, they need to lock them down so that they can easily connect to particular protocols that are required. There are several cases where these restrictions involve locking down the HTTP protocol so that POS can’t connect to the web servers. 

However, these restrictions can stop the malware from connecting it back to the command so that it can control the servers for POS malware that usually uses the HTTP protocols, as it helps in stealing the credit card and debit information.

Moreover, the DNS protocols are hard to block because it requires a different variety of window services; as the POS malware combines the strength to utilize the encoded DNS applications to interact with its management and control server.

Key Research Findings:
  • During the investigation, the experts found four domains that are showing the DNS queries.
  • This new POS malware utilizes DNS protocols to exfiltrate the credit card and debit card data.
  • Hackers are planning to use the fifth domain, but it was kept unused.
  • The threat actors often enroll multiple domains to implement repetition in case if any ill-disposed domains are blocked.
  • The security experts at Black Lotus Lab luckily identified the POS malware, and they confirmed that many credit cards and debit cards were stolen.
Domains Used by The Alina POS Malware
  • analytics-akadns[.]com
  • akamai-analytics[.]com
  • akamai-information[.]com
  • akamai-technologies[.]com

In the image below, you can see the volume of queries, as the Black Lotus Labs perceived each of the C2 domains from January 2020. After a decrease in traffic in April month, there has been a sudden hike in traffic, notably in “akamai-technologies[.]com”.

Image Source: Century Link

Here, the reason behind the hike in traffic is due to the queries are dawning from a single victim from the financial services sector.

Data involved

The final data included in the Credit Card Data segment comprises the following things:-

  • Credit card number
  • Date of termination
  • An unknown seven digits

There are many hackers who prefer DNS malware authors as it helps to bypass the security restrictions and exfiltrate data from preserved networks easily. But, the Black Lotus Labs utilizes machine learning algorithms to classify all data exfiltration and other unusual DNS traffic.

After the implementation, the DNS reach to its customers that are affected by the Alina malware and the registrars of the ill-disposed domains. But, the security experts justified that they would continue to watch the ill-disposed domains as it works to reduce the exfiltration of data in the CenturyLink global DNS traffic.

Source: Cyber Security News
Image: Collage from images by toffeomurice & janjf93 both  Pixabay and Markus Spiske from Pexels