The malware was designed for stealth operation inside restricted PoS environments Security researchers have found a new memory-scraping malware program that steals payment card data from point-of-sale (PoS) terminals and sends it back to attackers using the Domain Name System (DNS).Dubbed Multigrain, the threat is part of a family of malware programs known as NewPosThings, with which it shares some code. However, this variant was designed to target specific environments.That’s because unlike other PoS malware programs that look for card data in the memory of many processes, Multigrain targets a single process called multi.exe that’s associated with a popular back-end card authorization and PoS server. If this process is not running on the compromised machine, the infection routine exists and the malware deletes itself.“This shows that while developing or building their malware, the attackers had a very specific knowledge of the target environment and knew this process would be running,” security researchers from FireEye said in a blog post. FireEye did not name the PoS software that Multigrain targeted. However, threats like this show the need for companies to monitor the DNS traffic that originates from their own networks for suspicious behavior.Multigrain was designed with stealth in mind. It is digitally signed, it installs itself as a service called Windows Module Extension and more importantly, it sends data back to attackers via DNS queries. Stolen payment card data is first encrypted with a 1024-bit RSA key and then it’s passed through a Base32 encoding process. The resulting encoded data is used in a DNS query for log.[encoded_data].evildomain.com, where “evildomain” is a domain name controlled by the attackers. This query will appear in the authoritative DNS server for the domain, which is also controlled by the attackers.This technique, while not specific to Multigrain, allows attackers to pass data out of restricted environments where other Internet communication protocols are blocked.“Sensitive environments that process card data will often monitor, restrict, or entirely block the HTTP or FTP traffic often used for exfiltration in other environments,” the FireEye researchers said. “While these common internet protocols may be disabled within a restrictive card processing environment, DNS is still necessary to resolve hostnames within the corporate environment and is unlikely to be blocked.” Related content news ShadowSyndicate Cybercrime gang has used 7 ransomware families over the past year Researchers from Group-IB believe it's likely the group is an independent affiliate working for multiple ransomware-as-a-service operations By Lucian Constantin Oct 02, 2023 4 mins Hacker Groups Ransomware Cybercrime feature 10 things you should know about navigating the dark web A lot can be found in the shadows of the internet from sensitive stolen data to attack tools for sale, the dark web is a trove of risks for enterprises. Here are a few things to know and navigate safely. By Rosalyn Page Oct 02, 2023 13 mins Cybercrime Cybercrime Security news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Government Security Practices news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe