Petronella Blog Archive

Visit our New Blog

Multigrain Malware for PoS Terminals

Blog Post

There’s a new form of malware hitting Point of Sale (PoS) terminals in order to steal users’ credit card information. Being called Multigrain, it then send the information back to the criminals who made it using the Domain Name System (DNS).

This type of malware is not new, even though some techniques Multigrain uses are. Malware that infects POS terminals are known as NewPosThings and typically look for credit card data in a variety of different processes. Multigrain, however, is far more targeted.

The malware’s designers clearly had knowledge of the system they were targeting. Multigrain goes after a specific process called “multi.exe” that is used by a popular and as yet unnamed card authorization and PoS server. Installing itself as Windows Module Extension, if the process doesn’t exist on the compromised machine, Multigrain runs, then deletes itself.

The malicious software encrypts the stolen credit card information with a 1024-bit RSA key and then runs it through a Base32 encoding process. That data is then sent to the attackers as part of a DNS query to an authoritative DNS server they control.

Multigrain is not the only malware that uses this technique to send stolen data to hackers. Many places that process credit card information will restrict HTTP or FTP communication in order to mitigate other types of attacks, but DNS is generally not due to it being necessary to resolve hostnames. This allows thieves to steal sensitive information even in environments were most other internet traffic is closed off.