Kasidet`s PoS Memory Scraping Module Uses Namecoin’s Blockchain to Hide its C&C Servers

The flexible Kasidet DDoS malware family has recently started using the Namecoin’s Blockchain-based DNS service to hide its Command and Control servers.

In September last year, the Russian cybersecurity company Dr.Web, ran across a new piece of malware named Trojan.MWZLesson which was targeting Point-of-Sale systems.

The experts were highly surprised by the Trojan`s ability to launch Distributed Denial of Service (DDoS) attacks. Anyway, it all became clear when, a week later, Trend Micro`s team discovered that the Trojan.MWZLesson was actually the Kasidet DDoS malware with a new addition to support a PoS memory scraping module. Shortly after, Dr.Web researchers confirmed the discovery as well.

The Kasidet creators were only deploying the memory scraping module if the infected device had a PoS software installed. In that case they utilized the module to gather credit card information as PoS data was being processed inside the OS memory.

Apart from this capability, Kasidet`s scraping module could also intercept POST and GET requests from Google Chrome, Internet Explorer and Firefox browsers. Then this data would be sent to the malware`s C&C servers where the cybercriminals would decompose and analyze it to derive any valuable information if it is send in clear text.

Recently, the Kasidet`s PoS memory scraping module has been improved with an update. According to Dr.Web, since earlier this month, Kasidet stated using Namecoin’s DNS service Dot-Bit (.bit) to hide its C&C servers.

Namecoin’s Blockchain host a Dot-Bit domain name service which allows anyone to create “.bit” domains redirecting back to their computer. Users can`t access these “.bit” webpages unless they have a particular tool named NMControl.

Although malware programs that use this Namecoin technology have been known since 2013, they are not frequently detected in the wild.” Dr.Web`s security experts state.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.