Trend Micro security experts have discovered a new PoS malware, named MajikPOS, that is currently targeting North American and Canadian businesses.
According to Trend Micro, MajikPOS has the same capabilities as any other PoS malware but it relies on a different and very interesting modular approach in execution. The first MajikPOS attacks were noticed ad the end of January this year and their malicious codes used PoS malware and remote access Trojan (RAT) features.
“We’ve uncovered a new breed of point-of-sale (PoS) malware currently affecting businesses across North America and Canada: MajikPOS (detected by Trend Micro as TSPY_MAJIKPOS.A).” – states the analysis shared by Trend Micro – “Like a lot of other PoS malware, MajikPOS is designed to steal information, but its modular approach in execution makes it distinct.”
Previously, the experts have stumbled across other PoS malware pieces with multiple components, tasked of different features (like Gorynych, ModPOS, and EastPOS`s updated versions). However, according to Trend Micro, the modular structure of MajikPOS still differentiates as the malware needs only one computer from the server to conducts its RAM scraping routine. MajikPOS relies on an encrypted communication channel to avoid detection and it is written using the “.NET framework”.
The hackers didn’t use advanced techniques to carry out the attacks. They simply used brute-force attacks on Virtual Network Computing (VNC) and Remote Desktop Protocol (RDP) services, protected by weak passwords to gain access to the PoS systems.
In some cases, the crooks installed the MajikPOS malware via using a modified version of Ammyy Admin or a Command-line FTP (File Transfer Protocol). In other cases, the attackers used previously installed on the systems RATs. The researchers were able to notice that, in some of the attacks, RATs were installed on the targeted machines between August and November, last year. The experts also noticed that, in order to gain access to other systems in the host network, MajikPOS`s operators rely on commonly used lateral movement hacking tools.
The malicious code, when installed on the machine, connects to the Command and Control server and receives a configuration file with three entries that are used later. Conhost.exe is the RAM scrapping components. It scans the memory in search for credit card data of the major card issuers. This includes Visa, American Express, Maestro, Mastercard, Discover, and Diners Club. After verifying the track data of the credit card, it sends it to the C&C server via HTTP POST.
“After verifying the credit card’s track data, the information is sent to the C&C server via HTTP POST, Action=”bin”.” – continues the post published by Trend Micro.
After carrying out a deeper investigation, the experts discovered that the registrant of the Magic Panel servers has also registered many other websites, used to sell stolen credit card`s data. The information, given by Trend Micro, reveals that the websites that the cyber-criminal gang managed currently offers for sale more than 23,400 credit card tracks, with prices between $9 and $39. The hackers also offer for sale bulk packages of card composed of 25, 50, and 100 units, with prices at $250, $400 and $700.
“Some of these websites were advertised on carding forums as early as February 2017 by a user called “MagicDumps”, who has been updating the forums for new dumps based on location—mostly in the U.S. and Canada.” – Trend Micro added.
As a security measure, experts suggest credit cards with end-to-end encryption and properly configured chip-and-pin. However, unfortunately, the PIN part of the chip-and-pin process hasn’t been implemented by most merchants yet.