- 79b863bd3148c84229e81d6c5aed65390a2cba18 rar_sfx.scr
- e37f808d6147022f0ee79c34f80697af86ab571e entroentry.exe
- a673eec895f7009873c400247d056c325935be76 entroentry.unp
- a9e2c692887ad9732d566e6818e32a6a7466d593 payload
A Trojan for POS terminals. It is a modification of Trojan.MWZLesson.
The Trojan is distributed as a ZIP archive that contains a SCR file, which is a self-extracting SFX-RAR archive. This file then extracts, runs entroentry.exe, a malicious application, and saves an empty file named indexoid.txt.
Once launched, the Trojan checks the system for its copy and tries to detect one of the following running processes:
The Trojan attempts to find the following modules in its process:
In addition, the Trojan determines whether a debugger or virtual machines are present on the system. If it finds a program that can somehow hinder the Trojan’s operation, Trojan.Kasidet.1 executes the following command in CMD:
ping 127.0.0.1 -n 3 & del “<full path to the Trojan>"
And then it terminates and deletes itself from the system.
To start its malicious activity, it is run with administrator privileges executing the following command for wmic.exe:
process call create < full path to the Trojan >
Even though the User Accounts Control (UAC) system demonstrates a warning on the screen, the victim is put off their guard because the running application (wmic.exe) is allegedly developed by Microsoft:
Then wmic.exe runs the Trojan’s executable file.
In Microsoft Windows 8, the Trojan disables SmartScreen and modifies the system registry branch:
Then it deletes the following value:
The Trojan modifies the Windows registry to ensure running of its copy.
Like Trojan.MWZLesson, this Trojan executes the following functions:
- Checks the infected computer's RAM for bank card data and sends all acquired bank card data to the command and control server.
- Steals passwords for Outlook, Foxmail, and Thunderbird email applications.
- Incorporates itself into Mozilla Firefox, Google Chrome, Microsoft Internet Explorer, and Maxthon browsers in order to intercept GET and POST requests.
- Upon a command, searches for a particular file on disks—if the file is found, it is sent to the server.
- Updates itself by downloading an executable file from the specified URL. Then the Trojan saves the file to its folder under a random name and runs it. If launched successfully, it removes data, necessary for its autorun, from the registry and tries to delete the original file.
- Saves and removes parameters specified in the system registry.
- Downloads and runs an executable file or a dynamic library that is then loaded to the memory with the help of the regsvr32 /s <file name> command.
- Executes specified commands in CMD.
Unlike Trojan.MWZLesson, C&C server addresses of Trojan.Kasidet.1 are placed in a decentralized domain zone—.bit (Namecoin). It is a system of alternative root DNS servers, which is based on the Bitcoin technology.