Kasidet POS RAM Scraper Malware

From HandWiki

Kasidet POS Malware is a variant of Point of Sale (POS) Malware that performs DDoS attacks using Namecoin's Dot-Bit service to scrape payment card details.[1][2] It is also known as Trojan.MWZLesson or Neutrino and was found in September 2015 by cyber security experts.[3][4] It is a combination of BackDoor.Neutrino.50 and the POS malware.[5]

Operation

Kasidet POS Worm gets on a system along with the other malware or gets downloaded unknowingly when user visits malicious websites.[6][7] This malware is different from other POS malware and it scrapes data with advanced features.[8] First it scrapes the POS RAM and steals payment card details. Then the scraped information is sent to the cyber criminal with intercepted GET and POST requests from the browser.[9] It's very difficult to detect this bot by using security programs; sometimes it's detectable in email spam campaigns and exploit kits.[10] The scraping capability of Kasidet has now been enhanced by the cyber criminals and it now hides C&C server in the Namecoin DNS Service Dot-Bit.

Incidents

  • The US Government blamed Russian hackers for malicious Kasidet POS malware found in Democratic National Committee computers and a Burlington Electric Company laptop.[11][12][13] In the former case, the software was allegedly used to interfere in the 2016 election.
  • Zscaler has reported that MS Office documents distributed in phishing emails contain macros that install Kasidet POS malware into user machines.[7][14] The malware is believed to originate in Russia.[14]

See also

References

  1. "What is Kasidet Malware?". http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Kasidet. 
  2. "Kasidet uses Namecoin's Dot-Bit service to hide C&C servers". http://news.softpedia.com/news/kasidet-pos-credit-card-scraper-hides-c-c-servers-on-namecoin-s-blockchain-506988.shtml. 
  3. "Kasidet POS RAM Scraper Bot". https://securebox.comodo.com/blog/pos-security/kasidet-pos-ram-scraper-bot-now-hides-cc-servers-namecoins-dot-bit-service/. 
  4. "Major Botnet Malware". https://www.eset.com/int/about/newsroom/research/eset-helps-to-disrupt-dorkbot-major-botnet-malware/. 
  5. "Backdoor Neutrino Malware". http://www.darkreading.com/endpoint/macro-malware-resurgence-highlighted-by-kasidet-outbreak/d/d-id/1324144. 
  6. "Kasidet Neutrino Malware Operation". https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/bkdr_kasidet.fd. 
  7. 7.0 7.1 "Malicious Office Files Dropping Kasidet And Dridex". https://www.zscaler.com/blogs/research/malicious-office-files-dropping-kasidet-and-dridex. 
  8. "ATTACKERS DROPPING KASIDET BOT with Advanced Features". https://threatpost.com/attackers-dropping-kasidet-bot-via-office-macros/116090/. 
  9. "C&C Servers Add Third 'C' With New Concealment Tools". https://securityintelligence.com/news/cc-servers-add-third-c-with-new-concealment-tools/. 
  10. "Kasidet DDOSing Bot Adds Credit Card Scraping Capabilities". http://news.softpedia.com/news/kasidet-ddosing-bot-adds-credit-card-scraping-capabilities-492802.shtml. 
  11. "Vermont utility finds alleged Russian malware on computer". http://edition.cnn.com/2016/12/30/us/grizzly-steppe-malware-burlington-electric/. 
  12. "RUSSIANS PENETRATED BURLINGTON ELECTRIC DEPARTMENT COMPUTER". https://vtdigger.org/2016/12/30/russians-penetrated-computer-burlington-electric-dept/. 
  13. "The Russians are Hacking Burlington_Electric_Department laptop". http://opensources.info/us-power-grid-the-russians-are-hacking-or-not/. 
  14. 14.0 14.1 "MS Office files delivering malware". https://www.enterprisetimes.co.uk/2016/02/01/ms-office-files-delivering-malware/. 





Retrieved from "https://handwiki.org/wiki/index.php?title=Kasidet_POS_RAM_Scraper_Malware&oldid=2399201"