DMSniff POS Malware Thrives via DGA

DMSniff POS Malware Uses DGA to Stay Active

Recent research on security has discovered a rare strain of POS malware, but the notable thing is that it uses a domain generation algorithm (DGA) for its sustainability.

If Flashpoint's recent blog post were to be believed, the DMSniff malware may have been in use undetected for as long as four years, targeting small and mid-sized businesses in the restaurant and entertainment sectors.

It must have been very convenient for the malware as DGAs are used to evade detection and takedown by creating large numbers of new C&C domains on an ongoing basis. It is also stated in the blog that 11 variants of the DGA in DMSniff, claiming such a feature is unusual in POS malware.In fact, using DGA is just a part of the attacker's scheme to evade identity from investigators. Another discovered by Reaves and Platt was a simple string encoding routine designed to prevent researchers from understanding the malware’s capabilities.

The Flashpoint blog further stated that "For the data theft portion of the POS, the bot is simple because it comes with an onboard list of process names to avoid; it will use this list while looping through the process tree. Each time it finds an interesting process, it will loop through the memory sections to attempt to find a credit card number. Once a number is found, the bot will take the card data and some of the surrounding memory, packages it, and sends it to the C2.”