Delaware, USA – December 20, 2017 – Researchers from the RSA FirstWatch division reported on a campaign distributing the GratefulPOS malware discovered about a month ago. The virus itself is based on a code of a number of other malware intended for attacks on POS systems. At the time of publication, it is not known for sure how the attackers gain access to the victims’ networks, but the virus is manually installed on the systems at compromised networks. GratefulPOS is designed to attack 64-bit systems running Windows 7 or higher, the virus scrapes payment cards data from the system’s memory and exfiltrates them through DNS queries to malicious servers. This malware is well hidden from antiviruses and bypasses most of the security systems when transferring stolen data. The virus does not need direct access to the Internet; it’s enough for it to be able to send queries to the internal DNS server.
This campaign targets large enterprises, in whose wide networks adversaries can easily hide suspicious DNS queries. To protect against this attack, it is recommended to apply DNS domain whitelisting, but this is not always possible. You can use DNS Security Check Advanced use case for ArcSight, QRadar and Splunk to not only detect suspicious requests but also to find all DNS servers at your network and analyze all DNS server event logs.