Malware News Kasidet PoS Credit Card Scraper Hides C&C Servers on Namecoin's Blockchain

[Exterminator]

A versatile malware family has added the capability of using Namecoin's blockchain-based DNS service to hide C&C (command and control) servers.

Back in mid-September 2015, security researchers from Russian-based cyber-security firm Dr.Web were announcing the discovery of a new malware strain targeting PoS systems called Trojan.MWZLesson.

Researchers were befuddled by the presence of features that allowed this malware to launch DDoS attacks. A week later, security researchers from Trend Micro, discovered that this trojan was actually the Kasidet (Neutrino) DDoS malware that added support for a PoS memory scraping module, a discovery also confirmed by Dr.Web later on.

Kasidet operators were deploying this module only when they detected the presence of PoS software on the infected device, and were using it to collect credit card numbers as PoS data was processed inside the OS memory.

Besides this feature, Kasidet's PoS module could also intercept GET and POST requests from browsers such as Firefox, Google Chrome, and Internet Explorer. The malware would send this data to its C&C servers, where the crooks would later break down, analyze, and extract any sensitive information if sent in cleartext.

Kasidet's PoS memory scraping module evolves
Going forward to early August, this PoS scraping module has received an update, Dr.Web reports, and is now using Namecoin's DNS service Dot-Bit (.bit) to hide its C&C servers.

Dot-Bit is a domain name service that's hosted via Namecoin's blockchain (database) that allows a person to create .bit domains that link back to his computer.

To access these .bit websites, users need a special tool called NMControl, just like users need the Tor Browser to access .onion links.

"Although malware programs that use this Namecoin technology have been known since 2013, they are not frequently detected in the wild," Dr.Web researchers note.