A newly discovered PoS (Point-of-Sale) malware can bypass computer defenses such as User Account Control (UAC) by posing as a legitimate Microsoft application, Doctor Web researchers have discovered.
Detected as Trojan.Kasidet.1, the threat is distributed as a ZIP archive containing a SCR file, which is, in fact, a self-extracting SFX-RAR archive that runs the main payload. Upon inspection, researchers discovered that the malware is a modification of another piece of malware designed to target terminals that process card payments, namely Trojan.MWZLesson.
Discovered in September last year, MWZLesson stood up in the crowd courtesy of its ability to intercept browser requests, in addition to data-stealing functionality. The threat can intercept GET and POST requests sent via popular browsers, including Mozilla Firefox, Google Chrome, and Maxthon, in addition to Microsoft’s Internet Explorer.
Upon infection, the Trojan performs a series of checks to determine whether on the targeted system runs any program that could hinder its activity. It looks for any copies of itself, as well as for virtual machines, emulators, and debuggers, and terminates itself if any of these is found.
Otherwise, the malware runs itself and attempts to gain administrator privileges by tricking the default system defenses. In the User Account Control (UAC) warning triggered by the malware, however, the user is informed that the running application is called WMI Commandline Utility (wmic.exe) and is developed by Microsoft.
When launched, the wmic.exe utility runs the executable file for Kasidet, which immediately scans the computer’s memory for bank card track data, the same as MWZLesson did before it. All of the data is then sent to the Trojan’s command and control (C&C) server.
The Trojan also steals user’s passwords for Outlook, Foxmail, and Thunderbird, and is also incorporated into Firefox, Chrome, Internet Explorer, and Maxthon to intercept GET and POST requests. What’s more, the malicious program can download and run another application or a malicious library on the infected computer, can search for a specific file on a disk, and can list the running processes and send the information to the C&C server.
“However, unlike Trojan.MWZLesson, the C&C server addresses of Trojan.Kasidet.1 are placed in a decentralized domain zone—.bit (Namecoin). This is a system of alternative root DNS servers based on Bitcoin technology,” Doctor Web researchers explain.
While common browsers are not able to access such network resources, the Trojan makes use of its own algorithm to get the IPs of its C&C servers. According to the security researchers, the first malware programs that used this Namecoin technology were observed in 2013, but they aren’t frequently detected in the wild, unlike other Trojans.
Last year, researchers discovered several new PoS malware families, including NitlovePoS, PoSeidon, MWZLesson, MalumPOS, Cherry Picker and AbaddonPOS.
Related: Worm Capabilities Added to FighterPOS Malware
Related: Operation Black Atlas Continues to Compromise PoS Systems