Multigrain is a Point of Sale (PoS) malware that specializes in stealing credit and debit card information while using RAM-Scraping techniques (it directly accesses the RAM memory from certain processes to obtain the information from the cards). This has become a popular method as international laws prohibit this information from being stored on the disk (not even temporarily).
Another characteristic of Multigrain is that it uses DNS petitions in order to communicate with the outside (and so it can send the stolen information). In this article we will analyze the malware itself as well as the way the malware communicates.
In April of this year, FireEye published an analysis of this malware and it looks like this is the first time they found a variant of Multigrain. In this article, the analysis pertains to a sample that we detected in November 2015 (MD5 A0973ADAF99975C1EB12CC1E333D302F), and since then we have been able to detect new variants or updates of this malware, but essentially they work in the same way.
Multigrain in detail: a technical analysis
We first started analyzing Multigrain because the analyzed code showed RAM-Scraping characteristics that are typical in PoS malware. We can clearly assess this in the 00405A10 routine shown below.
Within this routine we find ourselves with the typical calls from a process that performs RAM-Scraping on the memory of running processes:
CreateToolhelp32Snapshot to get a pointer of the process list
Process32FirstW and Process32NextW to get a snapshot of the process list after calling the previous API.
OpenProcess is used afterwards to get a list of memory pages with VirtualQueryEx.
Finally, with ReadProcessMemory, you are able to read the content from the previous pages.
Once the buffer is obtained using the content from each page, it will perform the appropriately-named scraping. To do so it uses (in this same routine) the second pseudocode:
If possible TRACKS1/2 sequences are detected, corresponding with the code from the credit card magnetic strip in the buffers from the analyzed memory, it will proceed to call the functions sub_406100 and sub_405D10. The malware is now ready to prepare the data so it can be exfiltrated later.
This PoS malware is only interested in two processes, respectively named “spcwin.exe” and “brain.exe”; if neither of them are detected, “scraping” will not be performed.
The exfiltration performs during DNS petitions (UDP, port 53) from the routine 00402C40, as shown in the following pseudocode:
Apparently, the information leaked by DNS is performed in three different points (two routines) from the program:
In the first routine (address 00401DA0), it uses the “install.” subdomain for the exfiltrated information. In the second routine (address 00402580) it uses the “log.” subdomain for the exfiltrated information.
In these exfiltration routines, we find different references to the functions that code the information using “base32”. This is due to the fact that in order to exfiltrate the bank card information, it is first encoded using “base32” and it later performs DNS requests with the format: install.<base32_CCs>.domain
Apparently, the domain for the sample is: dojfgj.com
Domain Name: DOJFGJ.COM
Registry Domain ID: 1979271903_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.enom.com
Registrar URL: www.enom.com
Updated Date: 2015-11-13T07:16:58.00Z
Creation Date: 2015-11-13T15:16:00.00Z
Registrar Registration Expiration Date: 2016-11-13T15:16:00.00Z
Registrar: ENOM, INC.
Registrar IANA ID: 48
Domain Status: ok https://www.icann.org/epp#ok
Registry Registrant ID:
Registrant Name: WHOISGUARD PROTECTED
Registrant Organization: WHOISGUARD, INC.
Registrant Street: P.O. BOX 0823-03411
Registrant City: PANAMA
Registrant State/Province: PANAMA
Registrant Postal Code: 00000
Registrant Country: PA
Registrant Phone: +507.8365503
Registrant Phone Ext:
Registrant Fax: +51.17057182
Registrant Fax Ext:
Registrant Email: CC7F8D40E4FA4188AE5EA89A35925E6B.PROTECT@WHOISGUARD.COM
Registry Admin ID:
Admin Name: WHOISGUARD PROTECTED
Admin Organization: WHOISGUARD, INC.
Admin Street: P.O. BOX 0823-03411
Admin City: PANAMA
Admin State/Province: PANAMA
Admin Postal Code: 00000
Admin Country: PA
Admin Phone: +507.8365503
Admin Phone Ext:
Admin Fax: +51.17057182
Admin Fax Ext:
Admin Email: CC7F8D40E4FA4188AE5EA89A35925E6B.PROTECT@WHOISGUARD.COM
Registry Tech ID:
Tech Name: WHOISGUARD PROTECTED
Tech Organization: WHOISGUARD, INC.
Tech Street: P.O. BOX 0823-03411
Tech City: PANAMA
Tech State/Province: PANAMA
Tech Postal Code: 00000
Tech Country: PA
Tech Phone: +507.8365503
Tech Phone Ext:
Tech Fax: +51.17057182
Tech Fax Ext:
Tech Email: CC7F8D40E4FA4188AE5EA89A35925E6B.PROTECT@WHOISGUARD.COM
Name Server: NS1.DOJFGJ.COM
Name Server: NS2.DOJFGJ.COM
If we sort out this domain, we can see that it moves to the internal IP address “192.168.0.3”. The domain is associated with two DNS servers, that in principle resolve eachother. To obtain their actual addresses we should do a “whois”:
$ whois ns2.dojfgj.com
Server Name: NS1.DOJFGJ.COM
IP Address: 22.214.171.124
A “traceroute” of this IP shows us its origin:
$ traceroute 126.96.36.199
traceroute to 188.8.131.52 (184.108.40.206), 30 hops max, 60 byte packets
1 220.127.116.11 (18.104.22.168) 0.423 ms 22.214.171.124 (126.96.36.199) 0.404 ms 0.437 ms
2 188.8.131.52 (184.108.40.206) 0.422 ms 0.394 ms 220.127.116.11 (18.104.22.168) 0.293 ms
3 xe-0-9-0-17.r08.nycmny01.us.bb.gin.ntt.net (22.214.171.124) 3.503 ms 4.078 ms 4.102 ms
4 ae-2.r25.nycmny01.us.bb.gin.ntt.net (126.96.36.199) 1.160 ms ae-3.r25.nycmny01.us.bb.gin.ntt.net (188.8.131.52) 1.226 ms 1.171 ms
5 ae-9.r22.asbnva02.us.bb.gin.ntt.net (184.108.40.206) 6.985 ms 6.926 ms 7.013 ms
6 ae-0.r23.asbnva02.us.bb.gin.ntt.net (220.127.116.11) 6.952 ms 7.091 ms 7.057 ms
7 ae-1.r20.miamfl02.us.bb.gin.ntt.net (18.104.22.168) 42.672 ms 33.314 ms 33.257 ms
8 ae-1.r05.miamfl02.us.bb.gin.ntt.net (22.214.171.124) 35.530 ms 35.327 ms 38.280 ms
9 xe-0-6-0-0.r05.miamfl02.us.ce.gin.ntt.net (126.96.36.199) 32.063 ms 31.912 ms 31.755 ms
10 * * *
11 188.8.131.52.vultr.com (184.108.40.206) 33.398 ms 31.757 ms 32.283 ms
As we can see, it corresponds to an ISP in Miami that manages a multitude of IP addresses:
NetRange: 220.127.116.11 – 18.104.22.168
Parent: CHOOPA (NET-104-156-224-0-1)
Organization: Vultr Holdings, LLC (VHL-57)
To stay persistent in the system (Windows PoS) the analyzed malware installs itself automatically as a service and chooses the name “Windows Module Extension”, as can be seen in the following screenshot (routine 00406C20):
The attacker can perform exclusions at the time it registers itself as a service, now that it already consulted the current region using “ipinfo.io” and depending on the response, the system may or may not register as a service. This is especially useful if the attacker wants to avoid attacking PoS systems in certain countries, for example.
The malware accepts “i” as parameter (from “install”), and in that case it will install the “scraping” process and send the stolen information.
If this parameter is not specified (“i”), in the case it doesn’t find the “spcwin.exe” or “brain.exe” processes running, it will not install the service, and additionally the malware will be automatically eliminated. Both processes pertain to PoS software.