MajikPOS – A POS Malware Attack & Steal Payment Data From Credit/Debit Cards

No longer too prolonged previously, Community-IB’s cybersecurity researchers have faith stumbled on that threat actors exploiting two vulnerabilities from level-of-sale fee devices and stolen bigger than 167,000 credit cards knowledge.

Right thru a security audit conducted by Community-IB on April 19, 2022, a C2 server for the POS malware used to be identified, which is codenamed MajikPOS (aka MagicPOS). Experts have faith been in a say to examine the exercise of the server’s operators attributable to a glum configuration of the server.

In early 2017, Trend Micro stumbled on the MajikPOS PoS malware for the first time. At that time it used to be veteran by the threat actors to target companies in the following areas:-

• North America
• Canada

MajikPOS

MajikPOS POS malware is the successor of Treasure Hunter (aka TREASUREHUNT). Since 2014, Treasure Hunter has remained below the radar of safety researchers. While in 2018, the provision code of Treasure Hunter obtained leaked.

“For the reason for fending off detection, MajikPOS is written in .NET and communicates with its server by scheme of an encrypted channel. There used to be no tag of refined methods being veteran by the operators to compromise the focused victims” Community-IB said in study file that shared with Cyber Security News.

With the support of brute force attacks on VNC and RDP services and products, threat actors gained gain entry to to the PoS programs. MajikPOS malware used to be infrequently installed the utilization of Picture-line FTP or moded versions of Ammyy Admin by the threat actors.

A user with the username cartonash posted an announcement on the underground forum “exploit[.]in” concerning the sale of MajikPOS provide code on July 18, 2019.

It has been circulating on the DarkWeb ever since that time. In this form, it turns into increasingly extra refined to set up it to a assert threat actor or neighborhood.

Files Stolen

The following things have faith been stumbled on at some stage in the route of the investigation by the Community-IB experts:-

• In the MajikPOS panel, there are 77,400 irregular card dumps.
• In the Treasure Hunter panel, there are 90,000 irregular card dumps.

The majority of stolen credit cards are issued by banks in the following countries, that we now have faith listed below:-

• The U.S.
• Puerto Rico
• Peru
• Panama
• The U.K.
• Canada
• France
• Poland
• Norway
• Costa Rica

It is miles unknown who is in the support of this malware or what neighborhood of threat actors is in the support of it. Even for the time being, it is miles unclear whether the stolen knowledge used to be supplied to Third events for monetary carry out or no longer.

Because the theft of these dumps, the threat actors might perchance perchance perchance perchance be in a say to carry out up to $3,340,000 in the occasion that they supplied the dumps on underground markets.

It is miles serious for banks to assign in force ample measures of safety in show to stay some distance from excessive penalties because this. Threat actors will without issues be in a say to take supreme thing about this enviornment to make spend of cloned cards. The utilization of cloned cards on this form they’ll be in a say to keep:-

• Switch of funds
• Withdrawal of funds
• Unauthorized transactions

Nevertheless, the barriers of PoS malware have faith resulted in its decreased beauty to threat actors over the route of the outdated couple of years.