Kasidet PoS malware bypasses Account Control posing as Microsoft App

Pierluigi Paganini August 06, 2016

Experts from Dr Web discovered a new PoS malware dubbed Kasidet that can bypass User Account Control (UAC) by posing as a legitimate Microsoft application.

A new strain of PoS malware is in the wild, experts from security firm Doctor Web  named it Trojan.Kasidet.1 and it is able to bypass defense mechanism such as the Microsoft UAC by posing as a legitimate Microsoft app.

Trojan.Kasidet.1 is spread via email having a ZIP archive as an attachment. The ZIP file contains an SCR file, which is a self-extracting SFX-RAR archive that is able to extract and execute the malicious payload.

A careful analysis of the code revealed that the code is derived from another malware used to infect payment terminals, the Trojan.MWZLesson malware.

The MWZLesson was discovered by experts at Dr. Web in September 2015, the researchers noted that the  threat was designed by mixing code from other malware, including the Dexter PoS and the Neutrino backdoor.

“This code was borrowed from another Trojan designed for POS terminals and named Trojan.PWS.Dexter. The malware sends all acquired bank card data and other intercepted information to the command and control server.” states the blog post published by Dr. Web.

MWZLesson compromises the POS terminals, scraping the RAM memory to search for credit card data. Once infected the PoS system, the malware communicates with the server over the HTTP protocol, it steals card data and sends it to the command and control server through GET and POST requests.

The Trojan.Kasidet.1 PoS malware once executed performs a number of checks to determine whether on the system runs any security solution or software that could interfere with it. It terminates itself in case it finds virtual machines, emulators, and debuggers, and even copies of itself.

If the threat passes the checks, it runs itself and attempts to gain administrator privileges on the targeted system. When executed the Trojan.Kasidet.1 triggers the User Account Control (UAC) warning, but victims see a warning message that informs them that the running application is called WMI Commandline Utility (wmic.exe) and is developed by Microsoft.

“The Trojan first checks whether its copy and any virtual machines, emulators, and debuggers are present in the infected system. If Trojan.Kasidet.1 finds a program that can somehow hinder its operation, it terminates itself. If not, it gains administrator privileges and runs itself. Even though the User Accounts Control (UAC) system demonstrates a warning on the screen, the potential victim is thrown off guard because the running application (wmic.exe) appears to have been developed by Microsoft:” states Doctor Web in a blog post. 

trojan kasidet 1.1

The malware works around the unsuspecting user with this trick.

When wmic.exe utility runs Kasidet scans the PoS memory for bank card track data, then data is sent to the C&C server.

The Trojan.Kasidet.1 is also able to steal passwords from common applications, including Outlook, Foxmail, and Thunderbird. It has also the ability to deliver and install other malicious payloads on the infected machine.

“In addition, it steals passwords for Outlook, Foxmail, and Thunderbird email applications and can be incorporated into Mozilla Firefox, Google Chrome, Microsoft Internet Explorer, and Maxthon browsers for the purpose of intercepting GET and POST requests. This malware program can also download and run another application or a malicious library on the infected computer, find a particular file on a disk, or generate a list of running processes and transmit it to the C&C server.” Doctor Web researchers added.

However, unlike Trojan.MWZLesson, the C&C server addresses of Trojan.Kasidet.1 are placed in a decentralized domain zone .bit (Namecoin). The Trojan implements its own algorithm to get the IPs of its C&C servers, this is the first PoS malware that used this Namecoin technology.

“This is a system of alternative root DNS servers based on Bitcoin technology. Common browsers cannot access such network resources; however, Trojan.Kasidet.1 uses its own algorithm to get the IPs of its C&C servers. Although malware programs that use this Namecoin technology have been known since 2013, they are not frequently detected in the wild, unlike other Trojans.”

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Kasidet, PoS malware)



you might also like

leave a comment