MajikPOS is a point-of-sale (PoS) malware family targeting payment systems mainly in the US and Canada since at least January 2017. It is a modular malware and supports many features. The attackers scan for open, poorly secured Virtual Network Computing (VNC) and Remote Desktop Protocol (RDP) ports and use brute-force attacks to steal credentials. Once a network is breached, MajikPOS is downloaded using VNC, RDP, remote access trojans (RAT) previously installed on the system, command-line File Transfer Protocol (FTP), or a modified version of Ammyy Admin remote control software. It collects information on each victim and uses modules to scan for local computers housing financial data. When the workstations holding PoS data are found, the malware downloads a memory-scraping module to steal the payment card data from the workstation’s RAM. The data entered in the PoS software is then sent to the MajikPOS command and control (C2) server. According to Trend Micro, the C2 server is nicknamed Magic Panel and the data is posted for sale on Magic Dump, a network of “dump shops.” The PoS card data is sold individually for $9-39 or in bulk packages of 25, 50, 100 cards for $250, $400, and $700, respectively. The payment card dumps contain data stolen from American Express, Discover, MasterCard, Visa, Diners Club, and Maestro cards. As of March 2017, researchers believe MajikPOS has been used to steal over 23,000 payment card details.
- Trend Micro provides technical details on MajikPOS, available here.