A recent spate of cyber-attacks leveraging POS (Point-of-Sale) malware against big retailers is drawing attention to a relatively new malware strain called "multigrain."  

The discovery of the multigrain point of sale (POS) malware is of concern to all organisations handling payment transactions due to the potential exposure of customer details to malicious third parties.

By combining data from network capture, EDR (Endpoint Detection & Response) and third party log sources, organisations can gain much greater insight into threats gaining a foothold on their networks, such as multigrain, and can subsequently act quickly to contain and remediate them.

The use of DNS exfiltration to evade traditional anti-virus tools is not a new technique, but one that is widely missed by organisations that rely solely on preventative signature based controls rather than a mature and robust detection and response capability.

Multigrain's use of Windows services for persistence and its use of memory scraping techniques could be quickly identified as anomalous using EDR technology and a pro-active threat hunting approach. As well as this, all process executions on POS terminals should conform to a static pattern, any deviation from which could quickly be caught by EDR analytics of new and previously unseen process executions.

As well as using EDR to aid threat detection, organisations should look to deploy strict application whitelisting on POS systems to prevent the execution of malicious binaries such as the multigrain malware in the first place. Any transgressions of the application whitelisting should be fed back into the wider detection and response platform for correlation and follow-up by the organisation’s security team.

Analysis of outbound traffic from the organisation, combined with traditional IDS (intrusion detection systems) and anomaly detection, would also allow an organisation’s security analysts to quickly spot the unusual traffic patterns generated by the multigrain malware. By establishing a baseline of exactly which network hosts a POS terminal should be allowed to communicate with, means any external communications should be immediately flagged for investigation.

More generally, any organisations with POS systems should ensure that these systems are sufficiently segregated from both the public internet and internal end-users’ networks. Any access from internal end-user environments is both logged and forced through a route instrumented with sufficient monitoring coverage to facilitate efficient threat detection.

The discovery of multigrain will not be the last we see of POS malware as sophisticated cyber criminals attempt to cash in on PII and payment card details. Investing in solid, defence driven, detection and response capabilities is key to staying protected in future.

Adam Orton is a security consultant at MWR.