Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

PoS Trojan Bypasses Account Control Posing as Microsoft App

A newly discovered PoS (Point-of-Sale) malware can bypass computer defenses such as User Account Control (UAC) by posing as a legitimate Microsoft application, Doctor Web researchers have discovered.

A newly discovered PoS (Point-of-Sale) malware can bypass computer defenses such as User Account Control (UAC) by posing as a legitimate Microsoft application, Doctor Web researchers have discovered.

Detected as Trojan.Kasidet.1, the threat is distributed as a ZIP archive containing a SCR file, which is, in fact, a self-extracting SFX-RAR archive that runs the main payload. Upon inspection, researchers discovered that the malware is a modification of another piece of malware designed to target terminals that process card payments, namely Trojan.MWZLesson.

Discovered in September last year, MWZLesson stood up in the crowd courtesy of its ability to intercept browser requests, in addition to data-stealing functionality. The threat can intercept GET and POST requests sent via popular browsers, including Mozilla Firefox, Google Chrome, and Maxthon, in addition to Microsoft’s Internet Explorer.

Upon infection, the Trojan performs a series of checks to determine whether on the targeted system runs any program that could hinder its activity. It looks for any copies of itself, as well as for virtual machines, emulators, and debuggers, and terminates itself if any of these is found.

Otherwise, the malware runs itself and attempts to gain administrator privileges by tricking the default system defenses. In the User Account Control (UAC) warning triggered by the malware, however, the user is informed that the running application is called WMI Commandline Utility (wmic.exe) and is developed by Microsoft.

When launched, the wmic.exe utility runs the executable file for Kasidet, which immediately scans the computer’s memory for bank card track data, the same as MWZLesson did before it. All of the data is then sent to the Trojan’s command and control (C&C) server.

The Trojan also steals user’s passwords for Outlook, Foxmail, and Thunderbird, and is also incorporated into Firefox, Chrome, Internet Explorer, and Maxthon to intercept GET and POST requests. What’s more, the malicious program can download and run another application or a malicious library on the infected computer, can search for a specific file on a disk, and can list the running processes and send the information to the C&C server.

“However, unlike Trojan.MWZLesson, the C&C server addresses of Trojan.Kasidet.1 are placed in a decentralized domain zone—.bit (Namecoin). This is a system of alternative root DNS servers based on Bitcoin technology,” Doctor Web researchers explain.

Advertisement. Scroll to continue reading.

While common browsers are not able to access such network resources, the Trojan makes use of its own algorithm to get the IPs of its C&C servers. According to the security researchers, the first malware programs that used this Namecoin technology were observed in 2013, but they aren’t frequently detected in the wild, unlike other Trojans.

Last year, researchers discovered several new PoS malware families, including NitlovePoSPoSeidon, MWZLesson, MalumPOS, Cherry Picker and AbaddonPOS.

Related: Worm Capabilities Added to FighterPOS Malware

Related: Operation Black Atlas Continues to Compromise PoS Systems

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.