DDOS bot gets upgraded with PoS RAM scraping feature

Sep 25, 2015 19:54 GMT  ·  By

Trend Micro reports on a new version of the Kasidet bot, which now includes a dedicated module for scraping data from PoS (Point of Sale) systems.

Kasidet, also known as Neutrino, has been around for years, being mainly known for its DDoSing capabilities. As it evolved, its creators slowly started adding modules to its core, modules that offered the ability to log keystrokes, copy data from a device's clipboard, capture screenshots, execute a remote shell, and even spread to devices connected to the same network as the infected machine.

According to an investigation carried out by Trend Micro's researchers, last March, starting with Kasidet version 2.9, its creators added support for scraping a PoS' RAM, allowing them to get a hold of any credit card data still left in the device's memory.

Kasidet's source code was leaked online this summer

The researchers found this out this past July, after version 3.6 of the bot was leaked on some underground hacking forums.

These recent changes to the Kasidet bot did not enhance its security, the bot still being detectable, Trend Micro reporting that most infected users resided in Japan (12.75%), the UK (10.78%), Taiwan (7.84%), France (6.86%), and the US (6.86%).

Just as before, attackers are using exploit kits and email spam campaigns to deliver their malicious payload to victims. Trend Micro reports that the latest exploit kit used to deliver Kasidet is the Sundown exploit kit.

The Kasidet C&C server tries to fool security experts by playing dead

What is different in this new version of Kasidet is how the malware tries to trick researchers into thinking it's not operating properly. This is achieved by the C&C server sending a 404 not found error for each communications attempt, but in fact, its instructions are hard-coded in the error message itself.

That's pretty clever if we can say so ourselves.

"Upgrading old malware to include PoS RAM-scraping capabilities is a new technique in the threat landscape, but it’s not surprising given how lucrative stolen payment card data is," Trend Micro explains. "It shows that more and more cybercriminals are putting two and two together to make more money."

Kasidet C&C server, 404 error with bot instructions
Kasidet C&C server, 404 error with bot instructions

Kasidet bot revealed (4 Images)

DDOS botnet upgraded with PoS scraping features
Kasidet C&C server, 404 error with bot instructionsKasidet delivered via spam email
+1more