VXers pass stolen card data over DNS
NewPosThings back as Multigrain, says Fireeye
The NewPosThings malware has spawned an offspring that exploits the DNS protocol to sneak data past firewalls.
The VXers have reasoned DNS has a couple of advantages for data exfiltration. Since the enterprise network can't talk to the Internet without it, it's unlikely to be blocked; and since it's probably thought of as more-or-less benign, sysadmins probably don't look too hard at what's in DNS packets.
As Fireeye notes, sysadmins in card-processing environments will generally pay much more attention to monitoring, restricting or blocking HTTP or FTP traffic. Prior POS malware attacks to use DNS include BernhardPOS and FrameworkPOS.
The “Multigrain” variant of NewPosThings, discussed here, targets the multi.exe back-end POS process – if that's not present, the attack ends.
After infection, Multigrain's beaconing uses a crafted DNS query to notify the attacker of a successful installation, and starts scraping the target's memory to get card data (account number, expiry date and card security number).
This gets encrypted with a 1024-bit RSA key, and sent at five-minute intervals to the attackers (again via DNS).
The Fireeye post notes that Multigrain's strongest similarities to NewPosThings is in the code that scrapes the target's memory, and the DJB2 hashing algorithm that identifies the target machine in the attacker's command and control. ®