The NewPoSThings point-of-sale malware may be a few years old, but it’s not too old to learn new attack tricks. Just like other memory scrapers, NewPoSThings would scrape memory for credit card data and then exfiltrate that information back to the attackers. And this attack software, like most, would use many different techniques to try to obfuscate itself from anti-malware and intrusion detection software.
While many of these programs will use FTP and HTTP to transmit card data, the latest version of NewPoSThings exploits DNS for transporting data. According to the FireEye researchers that identified this new variant, using DNS for data exfiltration provides several advantages to the attacker:
“Sensitive environments that process card data will often monitor, restrict, or entirely block the HTTP or FTP traffic often used for exfiltration in other environments. While these common internet protocols may be disabled within a restrictive card processing environment, DNS is still necessary to resolve hostnames within the corporate environment and is unlikely to be blocked,” they state.
This isn’t entirely new but is worth noting. Older memory scrapers, BernhardPOS and FrameworkPOS, have used DNS in their attacks as well. And while it’s also common for PoS Malware to examine running memory for signs of credit card numbers, FireEye engineers say that this new NewPoSThings variant, dubbed MULTIGRAIN, has been design to target a specific process in PoS machines, multi.exe. If that process is found to be running, MULTIGRAIN will continue to try to exfiltrate data. If Multi.exe is not running, the malware will destroy itself.
PoS malware is usually optimized for one thing: to stealthily steal credit card data. The malware typically works by searching for data that will be found on track two of the credit card. The malware resides in a place where it can monitor memory for when the data is unencrypted, so it can be captured and transmitted.
Symantec has a good overview of such attacks, which can be found here.
An important reminder here is that cybersecurity isn’t a static operation. It isn’t a project that is completed, or a war that is won. Like any other criminal activity, the bad actors will keep adapting, and the defenders have to be constantly vigilant so risks can be managed.