Security researchers have found a new memory-scraping malware program that steals payment card data from point-of-sale (PoS) terminals and sends it back to attackers using the Domain Name System (DNS). Dubbed Multigrain, the threat is part of a family of malware programs known as NewPosThings, with which it shares some code. However, this variant was designed to target specific environments.
Because DNS is conventionally used to translate domain names into IP addresses, and not to transfer general data, the system is often overlooked by cybersecurity officials when assessing potential threats to their organizations. While HTTP or FTP traffic might be closely monitored or restricted to prevent unauthorized external queries, the DNS “is still necessary to resolve hostnames within the corporate environment and is unlikely to be blocked”, consequently, DNS remains vulnerable to cyber intruders, making this tactic especially appealing to sneaky cybercriminals.
Multigrain was designed with stealth in mind. It is digitally signed, it installs itself as a service called Windows Module Extension and more importantly, it sends data back to attackers via DNS queries.
Stolen payment card data is first encrypted with a 1024-bit RSA key and then it’s passed through a Base32 encoding process. The resulting encoded data is used in a DNS query for log.[encoded_data].evildomain.com, where “evildomain” is a domain name controlled by the attackers. This query will appear in the authoritative DNS server for the domain, which is also controlled by the attackers.
This technique, while not specific to Multigrain, allows attackers to pass data out of restricted environments where other Internet communication protocols are blocked.