Hello, welcome to the Thursday, July 2nd, 2020 edition of the Sands and at Storm Center's

Stormcast. My name is Johannes Ulrich. And the I'm recording from Jacksonville, Florida. Central Link got a neat little article about the Alina point of sales malware, as they call it,

and it does focus on behavior that I've seen before in this type of malware,

but I think it's often overlooked, and that's the exfiltration of credit card data via DNS queries.

Gray card data is kind of made for being exfiltrated via DNS.

All you have to do is take the track data, create a host name, and then look up that

host name, and of course, using a domain that the attacker owns. So the attacker will be able

to log this DNS query.

In my opinion, there are kind of three different things that you can do to detect behavior

like this.

First of all, just the sheer volume of DNS queries may give this away, also the length of

the DNS query, and then probably the most important part here,

look for the top 10 by frequency domains that were looked up a particular day, that were

not looked up at all for the last 30 days. That report usually tends to be hugely productive when it comes to find various

DNS-based command control channels.

I've got a couple of updates for the Mac OS Malaver that I talked about yesterday.

Called it yesterday a ransom air because it does display a ransom

node, but further analysis done by sleeping computer as well as by Patrick Wardle from Objective

C suggests that, well, it's probably really more a wiper in the sense that you are unlikely going to get your data back.

Part of the reason that they're believing this is that the Bitcoin address for the ransom

is static. There is no other way to contact the author. So as they suggest here that they

would decrypt your files once you pay, well, they don't really know who paid. So as they suggest here that they would decrypt your files once you pay,

...