The flexible Kasidet DDoS malware family has recently started using the Namecoin’s Blockchain-based DNS service to hide its Command and Control servers.
In September last year, the Russian cybersecurity company Dr.Web, ran across a new piece of malware named Trojan.MWZLesson which was targeting Point-of-Sale systems.
The experts were highly surprised by the Trojan`s ability to launch Distributed Denial of Service (DDoS) attacks. Anyway, it all became clear when, a week later, Trend Micro`s team discovered that the Trojan.MWZLesson was actually the Kasidet DDoS malware with a new addition to support a PoS memory scraping module. Shortly after, Dr.Web researchers confirmed the discovery as well.
The Kasidet creators were only deploying the memory scraping module if the infected device had a PoS software installed. In that case they utilized the module to gather credit card information as PoS data was being processed inside the OS memory.
Apart from this capability, Kasidet`s scraping module could also intercept POST and GET requests from Google Chrome, Internet Explorer and Firefox browsers. Then this data would be sent to the malware`s C&C servers where the cybercriminals would decompose and analyze it to derive any valuable information if it is send in clear text.
Recently, the Kasidet`s PoS memory scraping module has been improved with an update. According to Dr.Web, since earlier this month, Kasidet stated using Namecoin’s DNS service Dot-Bit (.bit) to hide its C&C servers.
Namecoin’s Blockchain host a Dot-Bit domain name service which allows anyone to create “.bit” domains redirecting back to their computer. Users can`t access these “.bit” webpages unless they have a particular tool named NMControl.
“Although malware programs that use this Namecoin technology have been known since 2013, they are not frequently detected in the wild.” Dr.Web`s security experts state.