Security researchers from FireEye have recently discovered a new variant of point-of-sale (POS) malware called Multigrain that steals payment card data from POS terminals and sends it back to attackers using the Domain Name System (DNS).
This new malware is part of a family of malware programs known as NewPosThings, with which it shares some code. However, the Multigrain malware is highly targeted, digitally signed, and sends stolen payment card details over DNS, which is new for this family of malwares.
Usually, POS malwares look for card data in the memory of many processes, but Multigrain was engineered to target a specific point of sale process called multi.exe, which is associated with a popular back-end card authorization and POS (electronic draft capture) server software package. Not all POS terminals have the multi.exe process and if the malware found itself on a terminal where the process is not running, it will simply delete itself.
FireEye security researchers believe that, the attackers, who created this malware, might had detailed knowledge of the target environment and knew this process would be running.
This shows that while developing or building their malware, the attackers had a very specific knowledge of the target environment and knew this process would be running.
FireEye did not reveal any details about, which POS terminal models are affected. However, the presences of a malware that can send stolen data through DNS is alarming and shows the need for companies to monitor the DNS traffic that originates from their own networks for suspicious behavior.
Once Multigrain malware is installed on a system, it will scrap the memory of the targeted process for PAN (Primary Account Number), Expiration Date, Service Code, and optionally a CVV/CVC number. These details are sufficient in most scenarios to attempt both “card-present” and “card-not-present” fraud. The malware will then encrypt the data with a 1024-bit RSA public key and stores it in buffer for sending.
Another unique thing about Multigrain is how it encodes itself and the stolen data. Both the installation beacon and the stolen card data are encoded with Base32 before being transmitted via DNS queries. The use of Base32 encoding is an interesting choice as Base64 is better known and more widely used. In addition, using Base32 encoded data is 20% larger than Base64 encoded data. The researchers believe that the attackers chose Base32 encoding, as it prevents most Security and data loss prevention (DLP) products from detecting and decoding the data as these products will be looking for Base64 encoded content.
Multigrain was designed with stealth in mind. It is digitally signed, it installs itself as a service called Windows Module Extension and more importantly, it sends data back to attackers via DNS queries.
The Multigrain malware tells us that the attackers can and will customize malware “on-the-fly” to target a specific environment. They can also be creative by using less common protocols or methods for data exfiltration. This means companies should ever be vigilant, monitor, and review DNS traffic for suspicious or anomalous behavior.
You can find technical details about the Multigrain malware by visiting the source link.
