The C&C panel in these servers is called “Magic Panel.”
The C&C panel in these servers is called “Magic Panel.”

Researchers at Trend Micro have been examining MajikPOS, a new point-of-sale (PoS) malware that has been spreading since at least late January across businesses in North America and Canada.

Detected by Trend Micro as TSPY_MAJIKPOS.A, it has similar intentions as other PoS malware, namely to siphon out information from targeted networks. However, what distinguishes it, said the researchers, is the modular approach it takes in executing. "MajikPOS needs only another component from the server to conduct its RAM scraping routine," according to a post on TrendLabs Security Intelligence Blog.

Named after its command-and-control (C&C) panel – which, as usual, receives commands and sends stolen data – the bad actors behind MajikPOS employ a combination of PoS malware and remote access trojan (RAT) to launch their campaigns. And, said the researchers, the effects are "daunting."

The attackers gain entry through victim's endpoints through Virtual Network Computing (VNC) and Remote Desktop Protocol (RDP), both of which can easily be penetrated as they use easy-to-guess username and passwords. RATs already previously loaded into the system are another access gateway.

"After fingerprinting the targets – ascertaining if VNC and RDP services exist and are accessible – attackers will attempt to gain access using generic credentials or via brute force," Trend Micro's Cyber Safety Solutions Team wrote.

The MajikPOS malware can then be installed via commercially available remote administration tools hosted on free file-hosting sites. At that point, MajikPOS communicates with its C&C server to register the infected system and, once registered, the server sends back a “configuration” with three important entries used for RAM scraping leading to the stealing of credit card details

Another noteworthy characteristic of this particular PoS malware is that it is written

using .NET. "It's an uncommon technique, but not unheard of," they wrote. Other malware has been detected using this framework, notably GamaPOS, discovered in 2015. And, similar to other current malware, MajikPOS employs encrypted communication to disguise its activities from IT security administrators.

Other functions of the malware behave similarly to previous threats, such as exploiting open RDP ports (like Operation Black Atlas). But, the researchers also spotted the attackers behind this malware exploiting lateral movement hacking tools, which they posit was an attempt to further penetrate into victim networks.

The culprit behind this scheme appears to go by the handle “MagicDumps,” the researchers said.

"MajikPOS is an interesting case because it's a very selective attack on PoS systems than have been inventoried ahead of time," Mark Nunnikhoven, vice president of cloud research for Trend Micro, told SC Media on Thursday.

The malware itself was coded in .NET which stands out as a bit of an oddity, he said. "We've seen other malware coded against the framework but it's not often. Some of the more interesting aspects of the code are how the malware is looking for credit card numbers stored in memory."

This technique, he explained, is exploiting poor development practices on the PoS system vendor's part. "MajikPOS takes a pretty thorough inventory of potential credit card numbers and then exfiltrates them," he told SC.

When asked what is so different about the delivery mechanism used in this particular PoS malware, Nunnikhoven said the attackers are mapping out victims with relatively generic tools ahead of time. "They're looking for vulnerable systems without risking their main weapon, the MajikPOS malware. Once they've got a potential victim, the attackers are using two separate executables to run this attack. Separating the implant (csrss.exe) versus the scraper (which gets the card numbers, conhost.exe) reduces the attack's exposure and means that if the initial stages fail, the rest of the malware isn't exposed and is less likely to be looked for by other potential victims."

The method of attack shows that the attackers have put some forethought and consideration into their methods, Nunnikhoven added. "They're actively trying to reduce the possibility that their malware will be detected and screened for. This implies that they are either the originators of the malware (in other words, it wasn't sold to another group for use) and that they're trying to maximize their investment."

The main technique for extracting credit card numbers can be mitigated by using end-to-end encryption, such as the types found in chip-and-pin systems, Nunnikhoven told SC. 

Of course, the adoption of EMV technology is still being rolled out across the U.S., even though it was supposed to be in place by October 2015. But, many merchants are lagging behind in implementing the PIN part of the chip-and-PIN process. 

"Chip-and-pin is a great example of a security control that requires little-to-no effort on the part of the end-user but provides a significant increase in security for everyone involved," Nunnikhoven told SC. "All efforts should be made to roll out chip-and-pin as quickly as possible."