A new POS (Point Of Sale) malware family is targeting payment systems in the US and Canada. Called MajikPOS, this new strain features a modular design and support for many features often found in RAT (Remote Access Trojans), allowing crooks to scout and select which systems they want to infect.

Detected by the Trend Micro team, the malware was picked up on security scanners for the first time around January 28, 2017. Nonetheless, newly unearthed evidence revealed MajikPOS first infected systems between August and November 2016.

How MajikPOS infects systems

According to researchers, the malware authors scanned for open VNC and RDP ports and used brute-force attacks to guess weak credentials.

After they breached one of these random networks, they downloaded and installed MajikPOS. For downloading the malware, Trend Micro says attackers used different techniques, ranging from VNC, RDP, RAT access, command-line FTP, and even a modified version of Ammyy Admin remote control software package.

Following this point, the malware gathered information on each victim, and using modules specific to RATs, allowed crooks to scan for local computers handling financial details.

When attackers found workstations handling POS data, the MajikPOS malware would download a memory-scraping module that would monitor the device's RAM for anything that remotely looked like financial information.

This memory scraping module would collect payment card data entered in the POS software and would send this information to its C&C server.

MajikPOS stolen data sold on specialized dump shops

According to Trend Micro, MajikPOS was part of a well-organized cyber-crime ring. Stolen data would be sent to a server nicknamed Magic Panel.

Magic Panel login page
Magic Panel login page (Source: Trend Micro)

Crooks would then sift through all the stolen information and put it up for sale via a network of "dump shops," called Magic Dump.

Payment card data would be sold here one ID at a time for prices ranging from $9 to $39, or in bulk packages of 25, 50, and 100 IDs, priced at $250, $400, and $700, respectively.

The prices were different based on the victim's payment card type. Trend Micro says the MajikPOS dumps contained data from American Express, Diners Club, Discover, Maestro, Mastercard, and Visa cards.

Dump of payment data stolen with MajikPOS

Security experts estimate that crooks used MajikPOS to steal at least 23,400 payment card details, mostly from people in the US and Canada, with a few isolated victims from Australia as well.

A timeline of the MajikPOS operation is available in the graph below.

Timeline of MajikPOS attacks

MajikPOS, which is written in .NET, is not the first POS malware to feature a modular design, which has become very popular with POS malware in the past year. For example, the FastPOS, Gorynych and ModPOS malware strains feature a similar modular architecture.

In October 2016, Guardicore identified Trojan.sysscan, a trojan that operated very similarly to MajikPOS, but Trojan.sysscan was coded in Delphi, not .NET.