Two PoS Malware used to steal data from more than 167,000 credit cards

Researchers reported that threat actors used 2 PoS malware variants to steal information about more than 167,000 credit cards.

Cybersecurity firm Group-IB discovered two PoS malware to steal data associated with more than 167,000 credit cards from point-of-sale payment terminals.

On April 19, 2022, Group-IB researchers identified the C2 server of the POS malware called MajikPOS. A poor configuration of the server allowed the experts to investigate the activity of its operators and to discover that it was also used as C2 for other POS malware called Treasure Hunter.

MajikPOS PoS malware was first spotted by Trend Micro in early 2017, when it was used to target businesses in North America and Canada.

MajikPOS is written using the “.NET framework” and uses encrypted communication channel to avoid detection.

The crooks did not use sophisticated techniques to compromise the targets, they were able to gain access to the PoS systems through brute-force attacks on Virtual Network Computing (VNC) and Remote Desktop Protocol (RDP) services protected by easy-to-guess passwords.

In some cases, the cyber criminals used Command-line FTP (File Transfer Protocol) or a modified version of Ammyy Admin to install the MajikPOS malware.

On July 18, 2019, the source code for MajikPOS (aka MagicPOS) was offered for sale on the cybercrime forum “exploit[.]in” by the user cartonash.

The artifacts discovered by Group-IB experts on the C2 infrastructure suggest that the malware operators had initially used a variant of Treasure Hunter, but later opted for a the advanced malware MajikPOS.

Treasure Hunter is a POS malware that was first spotted in 2014, it supports RAM scraping capability and its initial kill chain phases are similar to MajikPOS.

Group-IB reported that the source code of Treasure Hunter was also leaked on a top-tier Russian-speaking underground forum.

Group-IB estimated that the potential earnings from the sale of the stolen credit card data on the underground market were as much as $3,340,000.

“After analyzing the malicious infrastructure, Group-IB researchers retrieved information about the infected devices and the credit cards compromised as a result of this campaign. Since at least February 2021, the operators have stolen more than 167,000 payment records (as of September 8, 2022), mainly from the US.” reads the report published by the experts. “According to Group-IB’s estimates, the operators could make as much as $3,340,000 if they simply decide to sell the compromised card dumps on underground forums.”

The researchers pointed out that the malware remains active as of September 2022.

The investigation revealed that MajikPOS panel contained data from around 77,400 unique card dumps and Treasure Hunter panel contained about 90,000 card dumps.

Most of the stolen cards from the MajikPOS PoS malware panel were issued by US banks because most POS terminals infected are located in the US.

“POS malware has become less attractive for threat actors in recent years due to some of its limitations and the security measures implemented within the card payment industry. Nevertheless, as our research shows, it remains a significant threat to the payment industry as a whole and to separate businesses that have not yet implemented the latest security practices. It is too early to write off POS malware.” concludes the report.

“Although a dump itself cannot be used to make online purchases, fraudsters who buy such data can cash out stolen records. If the card-issuing authority fails to detect the breach promptly, criminals are able to produce cloned cards (“white plastic“) and withdraw money from ATMs or use the cloned cards for illicit in-person purchases.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]