MajikPOS Malware Targets Businesses in the U.S. and Canada

MajikPOS Malware Targets Businesses in the U.S. and Canada

MajikPOS is the new POS malware just discovered and analyzed by researchers at TrendMicro. The malware is currently targeting businesses in the U.S. and Canada. Researchers believe the attacks started this year around January 28.


MajikPOS Technical Overview

The malware is typically designed to steal information but only needs another component from the server to carry out its RAM scraping routines. Its name comes from the command & control server panel that receives command and send exfiltrated data, researchers explain. Unfortunately, POS malware, MajikPOS included, is becoming increasingly sophisticated and is getting better at evading traditional defense mechanisms.

Related: 5,761 Online Stores Infected with Malware, Admins Don’t Care

TrendMicro researchers were able to uncover the methods the hackers used to gain access to targeted endpoints:

  • Virtual Network Computing (VNC);
  • Remote Desktop Protocol (RDP);
  • Easy-to-guess usernames and passwords;
  • Previously installed RATs.

The attackers first made sure that VNC and RDP existed and were accessible, and proceeded with fingerprinting the targets. Then they would attempt to obtain access via generic usernames and passwords or via brute force. Researchers were also able to unearth the time when RATs were installed on targeted endpoints – somewhere between August and November, 2016.

If the endpoint piques the malefactors’ interest, they use a combination of VNC, RDP, RAT access, command-line FTP (File Transfer Protocol), and sometimes a modified version of Ammyy Admin—a legitimate, commercially available remote administration tool—to install MajikPOS by directly downloading the files usually hosted on free file-hosting sites. In the case of Ammyy Admin, its file manager capability is used instead. The modified version is sometimes named VNC_Server.exe or Remote.exe.

MajikPOS was written in .NET which is considered an uncommon technique. Nonetheless, it is not the first POS malware to use .NET. GamaPOS malware which was discovered in 2015 is the first documented PoS malware written in the .NET framework.


MajikPOS Features

MajikPOS similarly to other modern malware also uses encrypted communication so that it is more difficult to detect it on network level. The malware exploited open RDP ports which is not unseen in such attacks.

TrendMicro also observed that the operators of the malware deployed “commonly used lateral movement hacking tools”. This could mean that the attackers would later attempt to further infiltrate the targeted network.

Related: Cyber Criminals Have New Targets – Online Payment Systems

In other incidents, TrendMicro witnessed a command-line tool leveraged to deploy MajikPOS, alongside other PoS malware. Another feature that makes MajikPOS notable is how it tries to hide by mimicking common file names in Microsoft Windows.

As for mitigation, TrendMicro says that “properly configured chip-and-pin credit cards with end-to-end encryption (EMVs) should be unaffected by this threat.” Unfortunately, terminals that don’t support them are at risk. For full technical disclosure, refer to the full report.

Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys 'Mr. Robot' and fears '1984'.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Newsletter
Subscribe to receive regular updates about the state of PC Security and latest threads.

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.