Multigrain, a new variant of the NewPosThings POS malware, uses DNS queries to exfiltrate payment card data from infected systems.
Multigrain, a new variant of the NewPosThings POS malware, uses DNS queries to exfiltrate payment card data from infected systems.

Whoever says “Multigrain” is good for you obviously hasn't run into the point-of-sale malware that goes by this nomenclature.

A variant of the NewPosThings POS malware family, dubbed Multigrain, has introduced a interesting wrinkle—exfiltrating stolen payment card data from POS systems via the Domain Name System (DNS), as opposed to via HTTP or File Transfer Protocol (FTP), FireEye explained in its threat research blog on Tuesday.

Because DNS is conventionally used to translate domain names into IP addresses, and not to transfer general data, the system is often overlooked by cybersecurity officials when assessing potential threats to their organizations. While HTTP or FTP traffic might be closely monitored or restricted to prevent unauthorized external queries, the DNS "is still necessary to resolve hostnames within the corporate environment and is unlikely to be blocked," explains the FireEye blog. Consequently, DNS remains vulnerable to cyber intruders, making this tactic especially appealing to sneaky cybercriminals.

Another of Multigrain's quirks, according to FireEye, is that it is uniquely designed to target systems that run the specific POS process multi.exe, which is associated with a popular back-end card authorization and POS server software package.

The malware will simply delete itself if the POS system in question does not run this particular process; but if the process is detected, then Multigrain installs itself. FireEye suggests that this means the attackers are likely familiar with how to exploit the multi.exe process in particular.

Once executed, Multigrain scrapes the memory of the multi.exe process, looking for Track 2 magnetic stripe data, which normally includes a payment card's Primary Account Number, expiration date, service code and CVV/CVC number. The malware checks every five minutes to see if this data is ready for exfiltration via DNS query.

SCMagazine.com contacted FireEye to provide additional details on the Multigrain variant, including its most common method of delivery and propagation, but researchers were not available on Tuesday to answer questions.