Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

PoS Trojan Bypasses Account Control Posing as Microsoft App

A newly discovered PoS (Point-of-Sale) malware can bypass computer defenses such as User Account Control (UAC) by posing as a legitimate Microsoft application, Doctor Web researchers have discovered.

A newly discovered PoS (Point-of-Sale) malware can bypass computer defenses such as User Account Control (UAC) by posing as a legitimate Microsoft application, Doctor Web researchers have discovered.

Detected as Trojan.Kasidet.1, the threat is distributed as a ZIP archive containing a SCR file, which is, in fact, a self-extracting SFX-RAR archive that runs the main payload. Upon inspection, researchers discovered that the malware is a modification of another piece of malware designed to target terminals that process card payments, namely Trojan.MWZLesson.

Discovered in September last year, MWZLesson stood up in the crowd courtesy of its ability to intercept browser requests, in addition to data-stealing functionality. The threat can intercept GET and POST requests sent via popular browsers, including Mozilla Firefox, Google Chrome, and Maxthon, in addition to Microsoft’s Internet Explorer.

Upon infection, the Trojan performs a series of checks to determine whether on the targeted system runs any program that could hinder its activity. It looks for any copies of itself, as well as for virtual machines, emulators, and debuggers, and terminates itself if any of these is found.

Otherwise, the malware runs itself and attempts to gain administrator privileges by tricking the default system defenses. In the User Account Control (UAC) warning triggered by the malware, however, the user is informed that the running application is called WMI Commandline Utility (wmic.exe) and is developed by Microsoft.

When launched, the wmic.exe utility runs the executable file for Kasidet, which immediately scans the computer’s memory for bank card track data, the same as MWZLesson did before it. All of the data is then sent to the Trojan’s command and control (C&C) server.

The Trojan also steals user’s passwords for Outlook, Foxmail, and Thunderbird, and is also incorporated into Firefox, Chrome, Internet Explorer, and Maxthon to intercept GET and POST requests. What’s more, the malicious program can download and run another application or a malicious library on the infected computer, can search for a specific file on a disk, and can list the running processes and send the information to the C&C server.

“However, unlike Trojan.MWZLesson, the C&C server addresses of Trojan.Kasidet.1 are placed in a decentralized domain zone—.bit (Namecoin). This is a system of alternative root DNS servers based on Bitcoin technology,” Doctor Web researchers explain.

While common browsers are not able to access such network resources, the Trojan makes use of its own algorithm to get the IPs of its C&C servers. According to the security researchers, the first malware programs that used this Namecoin technology were observed in 2013, but they aren’t frequently detected in the wild, unlike other Trojans.

Last year, researchers discovered several new PoS malware families, including NitlovePoSPoSeidon, MWZLesson, MalumPOS, Cherry Picker and AbaddonPOS.

Related: Worm Capabilities Added to FighterPOS Malware

Related: Operation Black Atlas Continues to Compromise PoS Systems

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Cybercrime

Security researchers with Juniper Networks’ Threat Labs warn of a new Python-based backdoor targeting VMware ESXi virtualization servers.