The updated version of NewPoSThings malware has been rolled-out. It harvests card credentials at point-of-sale terminals and disguises the data transfer to C&C servers as DNS requests. Earlier versions of the malware reported the stolen info using first HTTP, and later HTTPS. At present, no AV security solutions monitor the exfiltration route that NewPoSThings is now using. DNS requests are vital to resolve hostnames and domains so cannot be switched off. Two different malware also use this tactic: BernhardPOS and FrameworkPOS.
The first HTTP version of NewPoSThings released was in 2014, though due to activity previous to this, researchers think that it was under development ten months before in 2013. Last year several versions were released. It was updated from 32 to 64-bit, and underwent with minor changes to help evade AV scanning. Several airports have been hit (including LAX last year); NewPoSThings is thought to have been used for these attacks.
This new market model is nicknamed Multigrain, because the hackers only target a specific PoS platform: Windows multi.exe. This is specific to a single vendor at PoS. Once infection occurs the malware sits in wait to perform a RAM scrape for Track 2 data from customer cards. NewPoSThings/ Multigrain records the data, encrypts it using a 1024-bit RSA public key and Base32 encoding to relay it back to its controllers. This is process is repeated at five minute intervals, masquerading as DNS queries. Analysts believe that Base32 is used because of its ‘obscurity’, and is an evasive attempt (Base64 as used in e-mails would be detected by security/data-loss software much more easily).
“Although Multigrain does not bring any new capabilities to the POS malware table, it does show that capable attackers can customize malware ‘on-the-fly’ to target a specific environment,” a FireEye researcher stated. Data exfiltration is not unique to Multigrain, but the malware’s launch should prompt organizations to monitor DNS traffic for unusual behavior.
