Security experts at Trend Micro have discovered a new PoS malware, tracked as MajikPOS, that is targeting business in North America.
The experts explained that the MajikPOS has the same capabilities of any other PoS malware, but it features an interesting modular approach in execution.
The first attacks powered with MajikPOS were observed at the end of January 2017, the malicious code borrows features from PoS malware and remote access Trojan (RAT).
“We’ve uncovered a new breed of point-of-sale (PoS) malware currently affecting businesses across North America and Canada: MajikPOS (detected by Trend Micro as TSPY_MAJIKPOS.A).” reads the analysis shared by Trend Micro.”Like a lot of other PoS malware, MajikPOS is designed to steal information, but its modular approach in execution makes it distinct. “
In the past researchers have observed other PoS malware with multiple components that are tasked of differed features (i.e. FastPOS (its updated version), Gorynych, ModPOS), but according to Trend Micro the MajikPOS’s modular structure is quite different. MajikPOS needs only another component from the server to conduct its RAM scraping routine.
MajikPOS is written using the “.NET framework” and uses encrypted communication channel to avoid detection.
The crooks did not use sophisticated techniques to compromise the targets, they were able to gain access to the PoS systems through brute-force attacks on Virtual Network Computing (VNC) and Remote Desktop Protocol (RDP) services protected by easy-to-guess passwords.
In some cases, the cyber criminals used Command-line FTP (File Transfer Protocol) or a modified version of Ammyy Admin to install the MajikPOS malware.
In some cases, attackers have used RATs previously installed on the system, the researchers noticed that in several attacks RATs were installed on the targets’ machines between August and November 2016.
Giving a look at other MajikPOS tricks, the experts noticed that its operators utilized commonly used lateral movement hacking tools to gain access to other systems in the host network.
Once installed on a machine, the malicious code connects to the C&C server and receives a configuration file with three entries to be used later.
Below an image of the C&C panel that is called Magic Panel.
The RAM scraping component of the threat is called Conhost.exe, it scans the memory searching for card data of the major card issuers, including American Express, Diners Club, Discover, Maestro, Mastercard, and Visa.
It verifies the credit card’s track data and then sends it to the C&C server via HTTP POST.
“After verifying the credit card’s track data, the information is sent to the C&C server via HTTP POST, Action=”bin”.” continues the post published by Trend Micro.
Further investigation allowed the experts to discover that the registrant for the Magic Panel servers also registered many other websites used to sell stolen credit card data.
According to Trend Micro the websites managed by the gang behind the threat currently offer around 23,400 stolen credit card tracks for sale, priced between $9 and $39, depending on the type of card. The crooks also offer bulk packages of card composed of 25, 50, and 100 units, that are priced at $250, $400, and $700, respectively.
“Some of these websites were advertised on carding forums as early as February 2017 by a user called “MagicDumps”, who has been updating the forums for new dumps based on location—mostly in the U.S. and Canada.” added Trend Micro.
As a mitigation strategy, experts suggest properly configured chip-and-pin credit cards with end-to-end encryption, unfortunately, many merchants still haven’t implemented the PIN part of the chip-and-PIN process.