In September 2015, cyber security experts reported the discovery of a new sophisticated PoS malware called as – Trojan.MWZLesson, that was capable of launching DDOS attacks.
Typical POS malware attacks POS hardware and software. However, this new strain was a mix of different malware. Typical POS malware scrapes the POS RAM for payment card data and sends the data to C&C (command and control) servers. The new malware however also intercepted GET and POST requests from the browser, and these data too were sent to C&C servers. If these data were unprotected then they could be broken into and deciphered. The Trojan.MWZLesson was also able to execute commands such as LOADER and DDOS. This malware is considered to be a combination of BackDoor.Neutrino.50 and the POS malware – Trojan.PWS.Dexter.
Later on, another group of cyber security specialists reported discovery of a Kasidet DDOSing Bot that featured credit card scraping capabilities. The Kasidet was also known by another name- Neutrino, and it had been around for many years and it is a well-known bot. Cyber criminals enhanced its capabilities, adding new modules of malware. They added a PoS malware – a PoS RAM scraper, that could steal payment card data in the RAM. This bot was detectable by security programs, but even then it successfully spread through exploit kits and email spam campaigns.
However, even though it is detectable it was highly sophisticated. Every communication with the C&C server linked to the bot elicited just one response – “a 404 Not Found Error” – however, beneath this message the malware had been hardcoded with malicious instructions for the bot.
Lately, cyber security experts discovered that the latest Trojan.MWZLesson and the latest Kasidet DDOSing Bot were the same. They were POS Malware that was capable of DDOS attacks.
The cybercriminals controlling the Kasidet identified POS systems infected with POS malware that was stealing payment card data and then infected these systems with the DDOS module of the POS malware.
Cyber security experts are now reporting that the Kasidet PoS RAM scraping module has been enhanced by the criminals, and it is now capable of hiding its C&C servers in the Namecoin’s DNS service Dot-Bit (.bit). This is a domain name service that is hosted through Namecoin’s blockchain, and this allows the creation of .bit domains that can be linked back to user systems. The NMControl tool would enable access to .bit websites.
POS security can be ensured by employing effective endpoint antimalware security systems, and the applications in the POS devices can be protected against malware by containerization.