MajikPOS is the new POS malware just discovered and analyzed by researchers at TrendMicro. The malware is currently targeting businesses in the U.S. and Canada. Researchers believe the attacks started this year around January 28.
MajikPOS Technical Overview
The malware is typically designed to steal information but only needs another component from the server to carry out its RAM scraping routines. Its name comes from the command & control server panel that receives command and send exfiltrated data, researchers explain. Unfortunately, POS malware, MajikPOS included, is becoming increasingly sophisticated and is getting better at evading traditional defense mechanisms.
TrendMicro researchers were able to uncover the methods the hackers used to gain access to targeted endpoints:
- Virtual Network Computing (VNC);
- Remote Desktop Protocol (RDP);
- Easy-to-guess usernames and passwords;
- Previously installed RATs.
The attackers first made sure that VNC and RDP existed and were accessible, and proceeded with fingerprinting the targets. Then they would attempt to obtain access via generic usernames and passwords or via brute force. Researchers were also able to unearth the time when RATs were installed on targeted endpoints – somewhere between August and November, 2016.
If the endpoint piques the malefactors’ interest, they use a combination of VNC, RDP, RAT access, command-line FTP (File Transfer Protocol), and sometimes a modified version of Ammyy Admin—a legitimate, commercially available remote administration tool—to install MajikPOS by directly downloading the files usually hosted on free file-hosting sites. In the case of Ammyy Admin, its file manager capability is used instead. The modified version is sometimes named VNC_Server.exe or Remote.exe.
MajikPOS was written in .NET which is considered an uncommon technique. Nonetheless, it is not the first POS malware to use .NET. GamaPOS malware which was discovered in 2015 is the first documented PoS malware written in the .NET framework.
MajikPOS similarly to other modern malware also uses encrypted communication so that it is more difficult to detect it on network level. The malware exploited open RDP ports which is not unseen in such attacks.
TrendMicro also observed that the operators of the malware deployed “commonly used lateral movement hacking tools”. This could mean that the attackers would later attempt to further infiltrate the targeted network.
In other incidents, TrendMicro witnessed a command-line tool leveraged to deploy MajikPOS, alongside other PoS malware. Another feature that makes MajikPOS notable is how it tries to hide by mimicking common file names in Microsoft Windows.
As for mitigation, TrendMicro says that “properly configured chip-and-pin credit cards with end-to-end encryption (EMVs) should be unaffected by this threat.” Unfortunately, terminals that don’t support them are at risk. For full technical disclosure, refer to the full report.