It is currently 22-10-2017 22:07

Discovered a new dangerous Trojan for POS terminals

Discovered a new dangerous Trojan for POS terminals

by sigismund » 2016-08-03 11:24:17


the Trojan is a modification of the famous Trojan Trojan.MWZLesson.


Security researchers from Doctor Web have discovered a new modification of the known POS-Trojan. New malware is an enhanced version of the Trojan Trojan.MWZLesson.

Experts analyzed a sample of Trojan.Kasidet.1 (according to the classification of "Doctor Web") is distributed as a ZIP archive containing a file with the extension .SCR. This file is a SFX-RAR-archive and is designed to extract and run a malicious program on the target device.

Trojan checks the infected system for their own copies and attempts to detect virtual machines, emulators and debuggers. While dangerous to itself a Trojan program.Kasidet.1 crashes. Otherwise, the malware tries to run on the infected device with administrator rights. The screen shows the warning system UAC User Accounts Control, UAC). The publisher of the application to launch wmic.exe is Microsoft that is supposed to lull potential victims. In turn, the utility wmic.exe runs the executable file for Trojan.Kasidet.1.

Trojan.Kasidet.1 is able to scan the memory of infected devices for the presence of tracks of Bank cards, received through the POS devices, and send them to controlled by a malicious server. In addition, the Trojan can steal passwords from email programs Outlook, Foxmail or Thunderbird and implemented in the processes of the browsers Mozilla Firefox, Google Chrome, Microsoft Internet Explorer and Maxthon to intercept GET and POST requests. Malware on command from C&C server can download and run on the infected device other application or malware library to discs and to transmit to the server a given file, or provide them with a list of running processes on your computer.

Unlike Trojan.MWZLesson, ' C&C server Trojan.Kasidet.1 located in a decentralized domain zone .bit (Namecoin) — alternative root DNS servers, based on the Bitcoin technology. To network resources like normal web browsers do not have access, but Trojan.Kasidet.1 uses its own algorithm to obtain the IP addresses of the command servers.
sigismund
moderators
Сообщений: 788
Депозит: 0 BTC

Rating: 5