Multigrain Malware Targets Multi.Exe Process, Steals and Exfiltrates Data, Pretending as DNS Queries

Security researchers caution after discovering one fresh strain of malware which utilizes DNS for bypassing security products. The malware, which is called Multigrain, belongs to the NewPoSThings family of malicious programs. The variant contaminates Windows processes which treat data on credit cards as well as garners financial data prior to dispatching everything onto its command-and-control server.

As per FireEye, its researchers compare a previous version of Multigrain that utilized HTTP and HTTPS for sending out data, with the current one which utilizes DNS. The reason -unlike other point-of-sale malicious software which hunt for card information within several processes' memory, Multigrain attacks only one process namely multi.exe, which's related to one widely-accepted back-end card authentication as well as PoS server. Suppose multi.exe isn't enabled on the hijacked PC, still there's the routine contamination after which the malicious software erases itself.

The researchers write the above indicates that when attackers create their malware, they already have extremely specific information about their target's nature as also know that the particular process would run. Pcworld.com posted this, April 20, 2016.

When installed and run, Multigrain grazes multi.exe process' memory, searching whether Track 2 payment card data exists that usually contains credit/debit card's CVC/CVV number, service code, expiration date along with Primary Account Number. The malicious program examines every 5-mins whether the data described can be readily sent out through DNS query.

More specifically, the new Multigrain will solely hunts to find if the multi.exe process in Windows is running while enabled on just a single PoS terminal followed with infecting it subsequently. On entering multi.exe, Multigrain waits to find Track 2 data of payment card whose information it'll record, encrypt with one 1024-bit RSA encryption code, as also exfiltrate it onto its C&C server every 5-mins, camouflaged as DNS requests.

FireEye researchers elaborate that albeit Multigrain doesn't introduce any fresh capabilities to point-of-sale malicious software category, it does demonstrate how skilled attackers can tailor make their malware for using it on a target of particular nature. And whereas exfiltration through DNS isn't any unknown tactic, NewPoSThings Multigrain shows why companies require monitoring/checking if incoming DNS traffic performs any anomalous/suspicious activity.

» SPAMfighter News - 4/27/2016