A sophisticated malware, identified as “Multigrain,” has been found to steal payment card data from point-of-sale (POS) stations.
When a team of researchers at FireEye recently discovered this new type of POS malware, they found out that it had overlapping traits of a previously-known, notorious POS malware known as NewposThings. However, the new variant uses advanced techniques to steal card data; it employs digital signature to specifically target POS security terminals and exfiltrates the stolen information over Domain Name System (DNS).
Although Multigrain malware is novel in its approach, other malwares in the POS malware family such as FrameworkPOS and BernhardPOS have devised similar tactics to exploit POS security in the past.
Ideally, POS stations and other environments that handle sensitive data monitor, regulate or even block HTTP or FTP web traffic which, in an otherwise context, exfiltrate the data being processed.
But because target organizations don’t usually filter DNS traffic, the data exfiltration by Multigrain POS malware goes unchecked. Unlike any other POS malware that scans the memory to lookup card data, Multigrain malware zeroes in on a single process multi.exe.
However, Multigrain malware deletes itself from a system without any trace if it doesn’t find multi.exe process in the target device.
“MULTIGRAIN has been custom-engineered to target a specific point of sale process: multi.exe, associated with a popular back-end card authorization and POS (electronic draft capture) server software package. If multi.exe is not found on the infected host, the malware will not install and will simply delete itself,” reads the article posted on FireEye website.
On a victim device, the memory-scraping POS malware installs itself and uses DJB2 algorithm to create a hash that is used to encode details of the device such as the computer name and version number so that it can be transferred via DNS traffic. The hash data and the device details are combined in a hard-coded set with the help of a custom Base32 algorithm.
Eventually, this type of POS malware scrapes the process memory through Luhn algorithm, a formula used for validating identities such as credit card data, IMEI number, etc.