Malware uses clever trick to avoid detection. A new version of the NewPosThings PoS malware is using a clever technique to extract data from infected PoS terminals that almost no security solution monitors for malware activity.
The NewPoSThings malware appeared many years ago, and for a long time it didn’t stand out in the crowd of other PoS malware families.
Just like the competition, NewPoSThings infected Windows processes that handled credit card data, scraping content for financial information, and then sending it to its C&C server.
In its first versions, the exfiltration process occurred via HTTP and then HTTPS. In its most recent version, this process changed to DNS.
Most security software doesn’t scan DNS queries
The reason behind such a drastic change resides in the fact that most security solutions are configured to watch HTTP and HTTPS traffic for any suspicious activity.
In order to avoid getting detected, the most recent version of NewPoSThings has migrated to using DNS requests, which antivirus solutions don’t watch, and which webmasters can’t turn off since they’re needed to resolve domains and hostnames.
Other PoS malware strains such as BernhardPOS and FrameworkPOS have also used this very same trick.
Latest version of NewPosThings only targets one PoS platform
Besides DNS-based exfiltration, the new version of NewPoSThings, nicknamed MULTIGRAIN, also comes with another peculiarity. It appears that its operators have decided to target only one specific type of PoS platform.
MULTIGRAIN will only look for the multi.exe Windows process, specific only to one PoS terminal vendor, and proceed to infect it. Once inside this process, the malware stands by and waits for Track 2 credit card data.
NewPoSThings MULTIGRAIN will record this info, encrypt it a 1024-bit RSA public key, and send it to its command and control servers at five-minute intervals, masked as DNS queries.
“Although MULTIGRAIN does not bring any new capabilities to the POS malware table, it does show that capable attackers can customize malware ‘on-the-fly’ to target a specific environment,” FireEye researchers explained. “While exfiltration via DNS is not a new tactic, MULTIGRAIN demonstrates that organizations should monitor and review DNS traffic for suspicious or anomalous behavior.”