Wheat a moment: Multigrain malware uses DNS to steal POS data

Multigrain malware targets specific processes operating on point-of-sale systems and then exfiltrates data to command and control servers via DNS queries.

Multigrain is an upgrade of existing malware
Multigrain is an upgrade of existing malware

A new variant of malware has been discovered that uses DNS to evade antivirus measures, security researchers have warned.

Dubbed Multigrain, the malware is a variant of the NewPoSThings family of malware. It infects Windows processes that process credit card data and collects financial information before sending it off to a C&C server.

According to researchers at FireEye, while older version of the malware used HTTP and later HTTPS to exfiltrate data, this version uses DNS.

“Using DNS for data exfiltration provides several advantages to the attacker. Sensitive environments that process card data will often monitor, restrict, or entirely block the HTTP or FTP traffic often used for exfiltration in other environments,” said the researchers in a blog post.

“While these common internet protocols may be disabled within a restrictive card processing environment, DNS is still necessary to resolve hostnames within the corporate environment and is unlikely to be blocked.”

Other POS malware families such as BernhardPOS and FrameworkPOS have used this technique in the past.

Infoblox noted that DNS exfiltration was a growing problem in a blog post in September last year.

As well as DNS-based extraction of data, Multigrain also focuses its efforts on one type of PoS terminal process: multi.exe. This is associated with a popular back-end card authorization and POS (electronic draft capture) server software package.

If this is not found, the malware doesn't install and deletes itself. “This shows that while developing or building their malware, the attackers had a very specific knowledge of the target environment and knew this process would be running,” the researchers said.

When it does install, Multigrain begins scraping the memory of the targeted process for Track 2 card data. This data is then encrypted with a 1024-bit RSA public key and stored in a buffer and sent to the attacker's C&C servers at five minute intervals.

The researchers said that while the new malware does not bring any new capabilities to the POS malware table, it does show that capable attackers can customise malware “on-the-fly” to target a specific environment.

“While exfiltration via DNS is not a new tactic, Multigrain demonstrates that organisations should monitor and review DNS traffic for suspicious or anomalous behaviour,” they said.

Alex Cruz Farmer, vice president of cloud at Nsfocus, told SCMagazineUK.com that the key here is not so much that anti-virus is not picking up the issue. “The question is why is a Point of Sale device able to access websites and receive DNS responses outside of the protected domain?” he said.

“As we know, a majority of these devices run Windows, meaning that the main DNS lookups – at a bare minimum excluding any of the internal domains to the POS owners – would be Microsoft Updates, and perhaps the Anti-Virus updates.

“From my personal experience, setting up secure environments is about having internal and external views within DNS environments, to ensure that devices are not attempting to get access to malicious websites, or in fact, engineers using the machines to view things like Facebook! Believe me, this happens.”

James Maude, senior security engineer at Avecto, told SC that by writing c:\windows\wme.exe and installing a service, Multigrain exploits admin rights.

“As this malware is digitally signed, it is able to bypass common restrictions and use a DNS service to extract data past corporate defences, evading usual traffic filters and blocks,” he said.

“Due to their largely static environments, the key to securing POS systems is to remove admin rights and implement whitelisting. These solutions make the applications more secure as it ensures that executables can only be accessed by trusted users. 

“Multigrain shows that criminals are continuing to invest both time and money in targeted attacks due to the high returns that can be generated off the back of a breach. With this in mind, it's time corporations put their money into defences to best protect themselves from intelligent and ever-changing threats,” added Maude.