Multigrain

Multigrain is a variant of NewPosThings, first reported by FireEye in April 2016. According to FireEye's report, Multigrain consists largely of a subset of slightly modified code from NewPosThings. The variant is highly targeted, digitally signed, and exfiltrates stolen payment card data over DNS. The addition of DNS-based exfiltration is new for this malware family; however, other POS malware families such as BernhardPOS and FrameworkPOS have used this technique in the past. Multigrain has been custom-engineered to target a specific point of sale process: multi.exe, associated with a popular back-end card authorization and PoS server software package. If multi.exe is not found on the infected host, the malware will not install and will simply delete itself. If the targeted PoS process is running on the host and the malware is executed with a command line parameter designating “installation mode”, Multigrain copies itself to the hardcoded location “c:\windows\wme.exe”.

Once executed, Multigrain scrapes the memory of the multi.exe process for Track 2 card data and validates it using the Luhn algorithm. Each Track 2 record is encrypted with a 1024-bit RSA public key, encoded using a customer Base32 process, and then stored in a buffer. Every five minutes, the malware checks this buffer to see if any card data is ready for exfiltration. If card data is present, the individual encrypted and encoded Track 2 data record for each card is sent over the network by means of a DNS query made by the malware.

Reporting

Technical Details

  • FireEye provides technical analysis and indicators of Multigrain, available here.

Sample digital signature of Multigrain. Image Source: FireEye