WORM_KASIDET.NM

This is one of the samples related to the Neutrino bot or Kasidet. Its code was leaked in the underground forum last July 2015. This malware, which has PoS-scraping routines, is also the payload for the Sundown exploit kit.

To get a one-glance comprehensive view of the behavior of this Worm, refer to the Threat Diagram shown below.

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following files:

• %User Temp%\nsu2C5.tmp
• %User Temp%\bin.exe
• %User Temp%\nsz2C6.tmp\Samian.dll
• %Application Data%\tag(2)
• %Application Data%\Read Me Info.txt
• %Application Data%\jackajeoaer.jpg
• %Application Data%\index(11).php
• %Application Data%\photo(5).jpg;

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Propagation

This worm drops the following copy(ies) of itself in all removable drives:

• {Drive Letter}:\WinSystemKB001.exe -copy of itself
• {Drive Letter}:\autorun.inf - autorun technique

Backdoor Routine

This worm executes the following commands from a remote malicious user:

• Loads arbitrary file
• Find files
• Spread through removable drives
• Infect .RAR files
• Perform Flood attacks (HTTP, SLOW, DWFLOOD, TCP, UDP, SMART, HTTPS)
• Start keylogging routine
• Update itself
• Uninstall itself
• Perform remote shell
• Modify HOSTS file
• Search running process for credit card data

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• http://www.{BLOCKED}eagaaa.ws/login/tasks.php
• http://www.{BLOCKED}tycheckpointsdomain.com/users/tasks.php
• http://www.{BLOCKED}tydomains1.com/security/tasks.php
• http://www.{BLOCKED}esecurity.ws/login/tasks.php

Information Theft

This worm gathers the following data:

• User ID
• OS Version
• AV software installed
• NAT installed
• Product key

NOTES:

The randomly named file may be any of the following:

• KIS_keygen.exe
• Keygen.exe
• RealPhoto.exe
• Readme.exe
• Tutorial.exe
• photo_private.exe
• WinUpdate.exe
• CS16.exe
• VKHackePri8.exe
• DotaMagic.exe
• Update.exe

This backdoor checks for the following:

• Debugger and Virtualization registries and applications:
  • VMWare
  • Wine
  • Sandboxie
  • Qemu
  • VirtualBox
• Computer name contains the following strings:
  • MALTEST
  • TEQUILABOOMBOOM
  • SANDBOX
  • VIRUS
  • MALWARE
• Path of the file contains the following strings:
  • \SAMPLE
  • \VIRUS
  • SANDBOX

If any of the conditions is met, it terminates itself and displays an error message.