Home Malware Programs Malware Multigrain

Multigrain

Posted: May 14, 2019

The development and use of Point-of-Sale (PoS) malware have turned into a very lucrative market for cybercriminals who manage to make the most of this malware’s abilities – a successful campaign may yield the details of tens of thousands of credit cards, that may then be sold to other criminals via underground markets. One of the PoS malware families to attract the attention of researchers is called Multigrain, and it uses a basic memory scraping technique to obtain credit card information – a method used by just about any modern piece of PoS malware due to the laws that prohibit the storage of credit card information on disks.

The authors of the Multigrain may use different versions of their malware depending on their target – one of the widely spread samples that malware researchers got to analyze attempted to scrape the memory of just two processes – ‘brain.exe’ and ‘spcwin.exe.’ The also is known to be the primary target of Alina, another piece of Point-of-Sale malware. If the Multigrain malware does not detect neither of these processes, it will stay dormant.

One of the unique things about the Multigrain malware is the way it exfiltrates data – instead of relying on FTP and HTTP transfers that could be filtered easily, it relies on DNS petitions. Using the DNS protocol for data transfer is neither reliable nor efficient, but it is preferred by malware authors due to the fact that it makes use of far laxer security policies – the reason for this is that it plays a crucial role for Internet connectivity, and any type of misconfiguration may cause it to malfunction. Furthermore, it is one of the last Internet protocols to attract the attention of researchers – HTTP, FTP, and mail transfer are usually the primary suspects when it comes to Command & Control server communication. Other PoS malware families also make use of the DNS protocol for C&C server communication – BerhnardPOS and FrameworkPOS are just two of the prime examples.

The Multigrain malware acquires persistence on the compromised host by creating a new Windows Service titled ‘Windows Module Extension.’ Before adding the service, the malware checks the victim’s IP region and transmits it to the control server – this step might allow the attacker to avoid infecting PoS devices in some countries.

Companies need to protect PoS devices by applying all Windows updates and making full use of the security features offered by reputable antivirus product vendors.

Loading...