Alina POS malware now using DNS tunnelling to steal payment cards data

Alina POS malware is back in circulation, now using DNS tunnelling to steal card details from unsuspecting victims

Researchers at CenturyLink's Black Lotus Labs have uncovered a new campaign that is using added capabilities in Alina point-of-sale (POS) malware to steal payment cards' data from unsuspecting victims.

POS malware, when installed on a point-of-sale system, enables hackers to monitor payments performed using credit cards. The malware scrapes the credit card data from the system's memory and sends it to a remote command and control (C2) server being operated by the hackers.

Alina POS malware is not a new species. It was first discovered in 2012, according to researchers, and its earlier versions used HTTPS or a combination of HTTPS and domain name system (DNS) to exfiltrate the stolen credit card information from POS systems to its operators.

CenturyLink researchers now warn that Alina POS malware is back in circulation, with a new trick called DNS tunnelling that enables hackers to steal card details from unsuspecting victims.

The theft was noticed after a machine-learning model developed at Black Lotus Labs flagged some odd queries to a particular domain in April 2020. After analysing those queries, the researchers arrived at the conclusion that Alina malware was using DNS protocol to exfiltrate stolen cards' details to a remote server under the attackers' control.

The researchers also found domains that Alina malware was using to communicate with its C2 servers over DNS. When Alina malware communicated with C2 servers, it would encode DNS queries and attach them to a domain as if they were a subdomain.

When C2 server received a DNS query, it would decode the encoded subdomain to extract either the stolen card data or a PING command, telling malicious actors that the malware was still running on the system.

According to researchers, all four domains they discovered showed similar DNS queries.

Alina is not the only malware using DNS protocol to exfiltrate data to remote servers. Earlier this year, researchers warned organisations of new Mozart backdoor malware that was seen utilising DNS TXT records for C2 communication.

"DNS is a popular choice for malware authors to bypass security controls and exfiltrate data from protected networks," CenturyLink researchers state in their report.

"Point of sale malware continues to pose a serious security threat, and malicious actors regularly update their malware in efforts to evade detection," they write,

The researchers recommend that all organisations monitor their DNS traffic for suspicious queries to prevent such attacks.