SHA1 3cbfa9b48674d7fa4ad0d77d99ae461dc2827b23 (packed)
A Trojan designed to infect POS terminals. This malicious program is, in fact, a “crippled” version of BackDoor.Neutrino.50. Once launched, the Trojan modifies the following registry branch:
1003\Software\Microsoft\Windows\CurrentVersion\Run] 'hh.exe' = '%APPDATA%
The Trojan encompasses a module that checks the infected device's RAM for bank card data. The malicious program sends all acquired bank card data and other intercepted information to the command and control server.
Trojan.MWZLesson can intercept GET and POST requests sent from the infected machine's browsers (Firefox, Chrome or Internet Explorer). Such requests are forwarded to the command and control server run by cybercriminals. Moreover, this malicious program can execute the following commands:
- CMD—forward the command to the command interpreter (cmd.exe)
- LOADER—download and run a file (dll—using the regsrv tool, vbs—using the wscript tool, exe—run directly)
- UPDATE—update itself
- rate—set a time interval for communication sessions with the command and control server
- FIND—search documents using a mask
- DDOS—mount an HTTP Flood attack
Trojan.MWZLesson communicates with the server over the HTTP protocol. The server replies with the 404 error as follows:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>
The requested URL /css/tasks.php was not found on this server.</BODY></HTML>
<!-- DEBUGc3VjY2Vzcw==ENDOF -->
Data between the DEBUG and ENDOF tags is a message encrypted with base64.
All packages sent by the Trojan are not encrypted. However, if a special cookie parameter is missing from a package, the server ignores it.
Bank card information is sent in the following package:
where type indicates the "Track1" or "Track2" strings,
data indicates bank card information,
p indicates the process name.