Multigrain

Cybercriminals have had their eyes locked on Point-of-Sale (PoS) devices for now, and malware experts have had to deal with dozens of malware families that target these devices in particular. One of the notable names to be featured on the list of PoS malware is Multigrain, a memory scraper that looks for credit card information and exfiltrates it to the attacker’s control server. Nearly all modern PoS malware relies on memory scraping because businesses and PoS device vendors are forbidden from storing card details on a disk. One would think that this security measure would have discouraged cybercriminals, but apparently, it motivated them to evolve the malware they use to carry out these attacks.

When Multigrain is initialized on a computer, it may set up a Windows service called ‘Windows Module Extension’ immediately. Naturally, the service is programmed to start with Windows automatically, therefore ensuring that the Multigrain malware will continue to work even if the computer is restarted. The Multigrain also is able to dodge certain countries and regions – it checks the IP of the infected host and reports it back to the attacker, therefore allowing them to cease the operation if they wish.

It is possible that the authors of the Multigrain may use multiple variants that are meant to target the devices of different vendors – the one that researchers managed to obtain focused on scraping memory from the processes ‘brain.exe’ or ‘spcwin.exe.’ If neither of those is present on the infected computer, the Multigrain will terminate itself.

The last bit of interesting information about the Multigrain’s attack is the way it exfiltrates data. Instead of relying on the typical FTP or HTTP protocols, it relies on the DNS protocol. This particular technique has some drawbacks, but they do not get in the way of the one-way communication channel that the Multigrain requires. The DNS Internet protocol is often neglected by security policies due to its critical importance, and this may be why authors of PoS malware often rely on it.

Attacks against PoS devices are preventable by applying the latest security updates for the operating system, as well as by using a reputable anti-malware software suite. Last but not least, no one should download unknown files to PoS devices, especially if they are not protected sufficiently.