MWZLesson
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Threat Level: | 90 % (High) |
Infected Computers: | 92 |
First Seen: | September 30, 2015 |
Last Seen: | May 22, 2023 |
OS(es) Affected: | Windows |
MWZLesson is a Point of Sale (PoS) Trojan that is used to take money from the population by gathering credit card data at the credit card terminal directly. PoS Trojans like MWZLesson are extremely threatening because they have the potential to collect credit card credentials from large numbers of users. While a traditional banking Trojan will compromise a single computer user's credit card data, a PoS Trojan like MWZLesson may collect the credit card credentials of hundreds or even thousands of customers that use the infected terminal during the period in which it is infected. MWZLesson and other PoS Trojans are not widespread, but they do pose a severe threat. MWZLesson was developed by using pieces of code from different, existing infections. If you suspect that your PoS system has been infected with MWZLesson, you should take appropriate security measures to ensure that customers' data is not exposed.
Table of Contents
A Brief Analyze of MWZLesson and Other PoS Trojans
MWZLesson was designed by reusing the code of several popular PoS Trojan infections. The main contributors to the MWZLesson code are Dexter, a popular PoS Trojan and Neutrino, a backdoor Trojan infection. Using code from Dexter, MWZLesson is able to collect data from point of sale terminals. The contribution from Neutrino allows MWZLesson to infect terminals and relay data to a remote server easily. A MWZLesson infection has a singular goal: to gather credit card data. To do this, MWZLesson will scan the affected computer and then relay the collected information to its command and control server. MWZLesson is specifically designed to infect point of sale terminal payment stations at retail stores or similar services.
How MWZLesson may Collect Credit Card Data
MWZLesson scrapes the RAM memory of the infected terminal in search for credit card numbers and other information. Using the HTTP protocol, MWZLesson connects to its Command and Control server and relays credit card data using GET and POST requests. MWZLesson can intercept POST and GET requests from Web browsers on the infected computer (including Internet Explorer, Google Chrome and Mozilla Firefox). These requests are then delivered to the Command and Control server. Apart from these operations, MWZLesson can receive updates, download and execute other files, search for specific files on the victim's computer and a variety of other options. In fact, MWZLesson may be used to carry out DdoS attacks and similar operations from an infected terminal.
How MWZLesson Protects Itself from Detection
One particularly threatening aspect of MWZLesson is that this Trojan can avoid detection and removal. MWZLesson uses a variety of tactics to find out whether it is being observed and then attempts to interfere with these kinds of operations in order to make it more difficult for PC security researchers study and remove MWZLesson. MWZLesson can perform a check to ensure that MWZLesson is not being run in virtual environments like the ones that may be used by PC security researchers to investigate threats. MWZLesson also can check for debuggers and other typically used programs by PC security researchers. MWZLesson will also gather information about the computer where MWZLesson is being run. If MWZLesson detects that it is running on a virtual environment, MWZLesson can remove itself and other programs on the infected computer, making it difficult for malware researchers to determine exactly how MWZLesson operates.
MWZLesson poses a severe threat to computer users. Business owners and managers that operate Point of Sale systems must take care to ensure that their terminals are completely protected from threats. A reliable security application designed for businesses and these kinds of environments is essential to ensure that customers are protected from MWZLesson and other PoS threats.
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.