News Feature | March 30, 2017

US Merchants Are Being Targeted By New MagikPOS Malware

Christine Kern

By Christine Kern, contributing writer

Vawtrak Malware Takes A “Crimeware-As-A-Service” Approach

A remote access Trojan allows the malware to identify potential victims.

Security Vendor Trend Micro has warned US businesses that there is a new type of point-of-sale (PoS) malware attacking US and Canadian businesses. The Trend Micro blog asserts, “Like a lot of other PoS malware, MajikPOS is designed to steal information, but its modular approach in execution makes it distinct.” The initial infection most likely began around January 28, 2017, and more than 23,000 credit cards have been exposed to criminals as a result of the malware.  The value of individual cards ranged from $9 to $39, with bulk pricing ranging from $250 for a set of 10 cards to $700 for 100 cards. Affected cards included those from American Express, Visa, MasterCard, and Diners Club.

The unique threat of MajikPOS is that it maps out victims in advance, indicating that the criminals behind the attacks are being highly selective regarding their targets before launching an attack, according to The Merkle. "The attackers are mapping out victims with relatively generic tools ahead of time," asserted Jon Clay, Trend Micro's global threat communications manager. All of the affected businesses experienced a remote access Trojan (RAT) compromise to their systems between August and November of 2016, an attack that helped the cybercriminals determine the value of the target for further exploitation.

The cybercriminals use a combination of methods including VNC, Remote Desktop Connection, and command-line FTP to install the PoS malware, with the goal of discovering vulnerable systems without compromising the main weapon in their arsenal, according to Clay.

 The attackers then use a pair of executables to run the attack (an implant and a scraper for accessing card numbers), and the method of attack indicates that the attackers are actively working to prevent screening and detection of their malware. Once installed, the MajikPOS inventories a system for all payment card numbers and exfiltrates the data to its command-and-control server.

Researchers believe that the authors are a new adversary, based on the use of .NET programming language, which is extremely rare.