Trojan.Kasidet

Trojan.Kasidet is a generic detection name for a PoS malware a.k.a. Point-of-Sale Trojan that was under surveillance as early as 2015 and was added to most AV databases in 2016. The Trojan.Kasidet was hard to classify as it is a mix of code we have seen in the Dexter Infostealer and the Neutrino Bot. Some malware analysts found similarities with the MWZLesson PoS malware as well. The cyber threats of today are usually equipped to handle various tasks that range from network proliferation and data encryption to fileless spying. Hence, Trojans can have Worm-like features, and Backdoor Trojans can be used for DDoS (Distributed Denial of Service) attacks.

Trojan.Kasidet is known to be dropped to vulnerable PoS stations and poses as a legitimate Microsoft product called 'WMI Commandline Utility by Microsoft.' In many cases, threat actors use SFX-RAR (Self-Extracting Archive) files and social engineering to lure poorly educated PC users into installing malware on their devices. Trojan.Kasidet is observed to scan PoS computers for the following processes:

• prl_cc.exe
• prl_tools.exe
• vboxservice.exe
• vboxtray.exe
• vmsrvc.exe
• vmusrvc.exe
• vmwaretray.exe
• vmwareuser.exe

The threat proceeds to search for the following modules:

• api_log.dll
• dir_watch.dll
• pstorec.dll
• sbiedll.dll
• vmcheck.dll
• wpespy.dll

Trojan.Kasidet reads the information stored on the magnetic line of your debit/credit card and monitors the PoS device for PIN input. As soon as you enter your PIN and the system confirms a successful payment, Trojan.Kasidet sends the collected data to its operators. AV companies found that Trojan.Kasidet may communicate with 'Command and Control' servers on the following addresses:

enotecacattaneo[.]it (62.149.128.151)
lattone[.]com (62.149.128.160)
mondaynightfundarts[.]com (216.18.70.74)
pationare[.]bit (144.76.133.38)
studiolegalecontrini[.]com (62.149.128.74)
usuellialfonso[.]it (62.149.128.160)
valentigomme[.]com (62.149.128.151)
www[.]enotecacattaneo[.]it (31.11.32.73)
www[.]lattone[.]com (31.11.33.18)
www[.]studiolegalecontrini[.]com (31.11.32.88)
www[.]usuellialfonso[.]it (89.46.105.15)
www[.]valentigomme[.]com (31.11.32.119)

You may want to know that Trojan.Kasidet can be used to collect the user’s credentials from Internet clients powered by the Triton, the Gecko and Blink layout engines. That means logins saved in Mozilla Firefox, SeaMonkey Opera, Google Chrome, SRWare Iron, Internet Explorer, Avant Browser and Maxthon can be misappropriated. Also, Trojan.Kasidet is reported to extract logins from email clients such as Outlook, Foxmail, and Thunderbird and send the collected credentials to the following IP addresses:

adika-win-iphone[.]comyr[.]com/god
dlms1[.]ir/php5
cosmeticsurgeryonline[.]in
dev1[.]appsichern[.]de
cosmeticsurgeryonline[.]in/lib

It is advised to purge the Trojan.Kasidet malware with the assistance of a reputable computer security scanner. Advanced computer users and network administrators may be able to pick up on the network transmissions of Trojan.Kasidet and succeed to remove it quickly. AV companies are known to use the following detection names regarding resources created by Trojan.Kasidet:

• Gen:Variant.Zusy.241505
• TR/Crypt.ZPACK.sfpmn
• TROJ_GEN.R047C0DFD17
• Trojan ( 0050fdd41 )
• Trojan-FNAX!3541BA797863
• Trojan/Win32.Kasidet.C2000867
• W32/Kryptik.FTDD!tr
• W32/S-6d307b46!Eldorado
• WORM_HPKASIDET.SM1

Table of Contents

1

SpyHunter Detects & Remove Trojan.Kasidet