Researchers report that attackers used 2 PoS malware variants to steal information on more than 167,000 credit cards.
Cybersecurity firm Group-IB discovered two PoS malware used to steal data related to more than 167,000 credit cards from point-of-sale payment terminals.
On April 19, 2022, Group-IB researchers identified the C2 server of a POS malware named MajikPOS. Due to a poorly configured server, experts were able to investigate its operator’s activity and found that it was also used as a C2 for other POS malware called Treasure Hunter.
The MajikPOS PoS malware was first discovered by Trend Micro in early 2017 when it was used for Target companies are in North America and Canada.
MajikPOS is written using “.NET Framework” and uses encrypted communication channels to avoid detection.
Instead of using sophisticated techniques to compromise targets, crooks are able to gain access to PoS systems through brute force attacks on Virtual Network Computing (VNC) and Remote Desktop Protocol (RDP) services, which are protected by easy-to-guess passwords.
In some cases, cybercriminals used command-line FTP (File Transfer Protocol) or a modified version of Ammyy Admin to install the MajikPOS malware.
On July 18, 2019, the MajikPOS (aka MagicPOS) source code was published on the cybercrime forum “exploit”[.]in” by the user carton grey.
Artifacts found on the C2 infrastructure by Group-IB experts indicate that the malware operator initially used a variant of Treasure Hunter, but later opted for the advanced malware MajikPOS.
Treasure Hunter, a POS malware first discovered in 2014, supports RAM scraping and has an initial kill chain stage similar to MajikPOS.
Group-IB reports on treasure hunter source code Also leaked on a top Russian-language underground forum.
Group-IB estimates potential gains from selling stolen credit card data in underground markets as high as $3,340,000.
“After analyzing the malicious infrastructure, Group-IB researchers retrieved information about compromised devices and credit cards that were compromised as a result of this campaign. Since at least February 2021, operators have stolen more than 167,000 Payment records (as of September 8, 2022), primarily from the United States. ” Read the report published by the experts. “According to Group-IB estimates, operators can earn $3,340,000 If only they decided to sell compromised card dumps on underground forums. “
The researchers noted that the malware was still active as of September 2022.
Survey reveals that MajikPOS panels contain data from all over 77,400 Unique Card Dump and Treasure Hunter panels contain approx. 90,000 Card dump.
Most of the stolen cards in the MajikPOS PoS malware panel were issued by U.S. banks, as most of the infected POS terminals are located in the United States.
“In recent years, POS malware has become less attractive to threat actors due to some limitations of POS malware and the security measures implemented within the card payment industry. Nonetheless, as our research shows, it remains a threat to the payment industry as a whole. and independent businesses that have not implemented the latest security practices pose a significant threat. It is too early to write off POS malware.” the report concludes.
“While the dump itself cannot be used for online purchases, fraudsters purchasing such data can cash in on the stolen records. If the card issuer fails to detect the breach in time, the criminal can make a clone card (“white plastic”) and remove it from the card ATM withdrawals or illegal in-person purchases using cloned cards.”
Follow me on Twitter: @securityaffairs and Facebook
(security affairs – hacking, malware)