Kasidet PoS malware bypasses Account Control posing as Microsoft App

Experts from Dr Web discovered a new PoS malware dubbed Kasidet that can bypass User Account Control (UAC) by posing as a legitimate Microsoft application.

A new strain of PoS malware is in the wild, experts from security firm Doctor Web named it Trojan.Kasidet.1 and it is able to bypass defense mechanism such as the Microsoft UAC by posing as a legitimate Microsoft app.

Trojan.Kasidet.1 is spread via email having a ZIP archive as an attachment. The ZIP file contains an SCR file, which is a self-extracting SFX-RAR archive that is able to extract and execute the malicious payload.

A careful analysis of the code revealed that the code is derived from another malware used to infect payment terminals, the Trojan.MWZLesson malware.

The MWZLesson was discovered by experts at Dr. Web in September 2015, the researchers noted that the threat was designed by mixing code from other malware, including the Dexter PoS and the Neutrino backdoor.

“This code was borrowed from another Trojan designed for POS terminals and named Trojan.PWS.Dexter. The malware sends all acquired bank card data and other intercepted information to the command and control server.” states the blog post published by Dr. Web.

MWZLesson compromises the POS terminals, scraping the RAM memory to search for credit card data. Once infected the PoS system, the malware communicates with the server over the HTTP protocol, it steals card data and sends it to the command and control server through GET and POST requests.

The Trojan.Kasidet.1 PoS malware once executed performs a number of checks to determine whether on the system runs any security solution or software that could interfere with it. It terminates itself in case it finds virtual machines, emulators, and debuggers, and even copies of itself.

If the threat passes the checks, it runs itself and attempts to gain administrator privileges on the targeted system. When executed the Trojan.Kasidet.1 triggers the User Account Control (UAC) warning, but victims see a warning message that informs them that the running application is called WMI Commandline Utility (wmic.exe) and is developed by Microsoft.

“The Trojan first checks whether its copy and any virtual machines, emulators, and debuggers are present in the infected system. If Trojan.Kasidet.1 finds a program that can somehow hinder its operation, it terminates itself. If not, it gains administrator privileges and runs itself. Even though the User Accounts Control (UAC) system demonstrates a warning on the screen, the potential victim is thrown off guard because the running application (wmic.exe) appears to have been developed by Microsoft:” states Doctor Web in a blog post.

The malware works around the unsuspecting user with this trick.

When wmic.exe utility runs Kasidet scans the PoS memory for bank card track data, then data is sent to the C&C server.

The Trojan.Kasidet.1 is also able to steal passwords from common applications, including Outlook, Foxmail, and Thunderbird. It has also the ability to deliver and install other malicious payloads on the infected machine.

“In addition, it steals passwords for Outlook, Foxmail, and Thunderbird email applications and can be incorporated into Mozilla Firefox, Google Chrome, Microsoft Internet Explorer, and Maxthon browsers for the purpose of intercepting GET and POST requests. This malware program can also download and run another application or a malicious library on the infected computer, find a particular file on a disk, or generate a list of running processes and transmit it to the C&C server.” Doctor Web researchers added.

However, unlike Trojan.MWZLesson, the C&C server addresses of Trojan.Kasidet.1 are placed in a decentralized domain zone .bit (Namecoin). The Trojan implements its own algorithm to get the IPs of its C&C servers, this is the first PoS malware that used this Namecoin technology.

“This is a system of alternative root DNS servers based on Bitcoin technology. Common browsers cannot access such network resources; however, Trojan.Kasidet.1 uses its own algorithm to get the IPs of its C&C servers. Although malware programs that use this Namecoin technology have been known since 2013, they are not frequently detected in the wild, unlike other Trojans.”

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Kasidet, PoS malware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.