Threat Management, Incident Response, Malware, TDR

‘Multigrain’ variant of POS malware crops up; uses DNS tunneling to steal data

Whoever says “Multigrain” is good for you obviously hasn't run into the point-of-sale malware that goes by this nomenclature.

A variant of the NewPosThings POS malware family, dubbed Multigrain, has introduced a interesting wrinkle—exfiltrating stolen payment card data from POS systems via the Domain Name System (DNS), as opposed to via HTTP or File Transfer Protocol (FTP), FireEye explained in its threat research blog on Tuesday.

Because DNS is conventionally used to translate domain names into IP addresses, and not to transfer general data, the system is often overlooked by cybersecurity officials when assessing potential threats to their organizations. While HTTP or FTP traffic might be closely monitored or restricted to prevent unauthorized external queries, the DNS "is still necessary to resolve hostnames within the corporate environment and is unlikely to be blocked," explains the FireEye blog. Consequently, DNS remains vulnerable to cyber intruders, making this tactic especially appealing to sneaky cybercriminals.

Another of Multigrain's quirks, according to FireEye, is that it is uniquely designed to target systems that run the specific POS process multi.exe, which is associated with a popular back-end card authorization and POS server software package.

The malware will simply delete itself if the POS system in question does not run this particular process; but if the process is detected, then Multigrain installs itself. FireEye suggests that this means the attackers are likely familiar with how to exploit the multi.exe process in particular.

Once executed, Multigrain scrapes the memory of the multi.exe process, looking for Track 2 magnetic stripe data, which normally includes a payment card's Primary Account Number, expiration date, service code and CVV/CVC number. The malware checks every five minutes to see if this data is ready for exfiltration via DNS query.

SCMagazine.com contacted FireEye to provide additional details on the Multigrain variant, including its most common method of delivery and propagation, but researchers were not available on Tuesday to answer questions.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Related

New Muddled Libra attacks set sights on cloud

Attacks by the Muddled Libra threat operation — also known as UNC3944, Scattered Spider, Scatter Swine, and Starfraud — have been redirected at cloud service providers and software-as-a-service apps as part of efforts to bolster its data extortion efforts, reports The Hacker News.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.