Threat Management, Incident Response, Malware, TDR

‘Multigrain’ variant of POS malware crops up; uses DNS tunneling to steal data

April 20, 2016

Whoever says “Multigrain” is good for you obviously hasn't run into the point-of-sale malware that goes by this nomenclature.

A variant of the NewPosThings POS malware family, dubbed Multigrain, has introduced a interesting wrinkle—exfiltrating stolen payment card data from POS systems via the Domain Name System (DNS), as opposed to via HTTP or File Transfer Protocol (FTP), FireEye explained in its threat research blog on Tuesday.

Because DNS is conventionally used to translate domain names into IP addresses, and not to transfer general data, the system is often overlooked by cybersecurity officials when assessing potential threats to their organizations. While HTTP or FTP traffic might be closely monitored or restricted to prevent unauthorized external queries, the DNS "is still necessary to resolve hostnames within the corporate environment and is unlikely to be blocked," explains the FireEye blog. Consequently, DNS remains vulnerable to cyber intruders, making this tactic especially appealing to sneaky cybercriminals.

Another of Multigrain's quirks, according to FireEye, is that it is uniquely designed to target systems that run the specific POS process multi.exe, which is associated with a popular back-end card authorization and POS server software package.

The malware will simply delete itself if the POS system in question does not run this particular process; but if the process is detected, then Multigrain installs itself. FireEye suggests that this means the attackers are likely familiar with how to exploit the multi.exe process in particular.

Once executed, Multigrain scrapes the memory of the multi.exe process, looking for Track 2 magnetic stripe data, which normally includes a payment card's Primary Account Number, expiration date, service code and CVV/CVC number. The malware checks every five minutes to see if this data is ready for exfiltration via DNS query.

SCMagazine.com contacted FireEye to provide additional details on the Multigrain variant, including its most common method of delivery and propagation, but researchers were not available on Tuesday to answer questions.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

MDR

How two organizations beat the cyber insurance maze

Paul WagenseilDecember 23, 2024

Boosting digital protections can lead to reduced cybersecurity insurance premiums. Here’s how two firms achieved that after signing up with a managed detection and response (MDR) provider.

AI/ML

AI-fueled phishing, shadow AI, jailbreaks kept security pros busy in 2024

Laura FrenchDecember 23, 2024

Deepfakes, shadow AI and LLM misuse were growing concerns, while AI threat detection, malware analysis and vulnerability research showed promise for cyber defenders.

Cryptocurrency on Binance trading app, Bitcoin BTC with altcoin digital coin crypto currency, BNB, Ethereum, Dogecoin, Cardano, defi p2p decentralized fintech market

Threat Intelligence

Crypto heist proceeds exceed $2B amid more attacks

SC StaffDecember 20, 2024

While crypto platforms had already lost $1.5 billion during the first seven months of 2024, cryptocurrency heists have significantly dropped in frequency and size after separate intrusions against DMM Bitcoin and WazirX.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news