Cybercriminals have used two strains of point-of-sale (POS) malware to steal the details of more than 167,000 credit cards from payment terminals. If sold on underground forums, the haul could net the thieves upwards of $3.3 million.
The backend command-and-control (C2) server that operates the MajikPOS and Treasure Hunter malware remains active, according to Group-IB’s Nikolay Shelekhov and Said Khamchiev, and “the number of victims keeps growing,” they said this week.
The security firm’s threat intelligence unit identified the C2 server in April, and determined the operators stole payment info belonging to tens of thousands of credit card holders between February 2021 and September 8, 2022. Almost all of the victims are American with credit cards issued by US banks.
Upon discovery, the researchers handed the info to a US-based threat-sharing organization as well as law enforcement agencies. They haven’t attributed the malware to a particular crime group.
The MajikPOS and Treasure Hunter malware infect Windows POS terminals and scan the devices to exploit the moments when card data is read and stored in plain text in memory. Treasure Hunter in particular performs this so-called RAM scraping: it pores over the memory of processes running on the register for magnetic-stripe data freshly swiped from a shopper’s bank card during payment. MajikPOS also scans infected PCs for card data. This info is then beamed back to the malware operators’ C2 server.
MajikPOS and Treasure Hunter
Of the two POS malware strains used in this campaign, MajikPOS is the newest, first seen targeting POS devices in 2017. The malware operators likely started with Treasure Hunter, and then paired it with the newer MajikPOS due to the latter’s more advanced features.
This includes “a more visually appealing control panel, an encrypted communication channel with C2, [and] more structured logs,” compared to Treasure Hunter, according to Group-IB. “MajikPOS database tables contain information about the infected device’s geolocation, operation system name, and hardware identification number.”
To infect a store with MajikPOS, miscreants usually start with scanning networks for open and poorly secured VNC and RDP remote-desktop services, and then brute-force their way in, or buy access to or credentials for these systems. The malware, once installed with sufficient privileges, can then collect shoppers’ payment card information from the compromised terminals.
Treasure Hunter first appeared in 2014 before the source code was leaked on a Russian-speaking forum. Its primary use is RAM scraping, and is likely installed the same way as MajikPOS.
Today both MajikPOS and Treasure Hunter can be bought and sold on nefarious marketplaces.
In a months-long investigation, Group-IB analyzed about 77,400 card dumps from the MajikPOS panel and another 90,000 from the Treasure Hunter panel, the researchers wrote. Almost all — 97 percent or 75,455 — of the cards compromised by MajikPOS were issued by US banks with the remaining 3 percent distributed around the world.
The Treasure Hunter panel told a similar story with 96 percent (86,411) issued in the US.
To put this in context, the (black) market value for card dumps between April 2021 and April 2022 hit $908.7 million, according to Group-IB Threat Intelligence data. “Given how rare they are and for how many various fraudulent activities they can be used for, card dumps are usually more expensive than card text data (aka CC),” Shelekhov and Khamchiev said, adding the average price per card dump is about $20.
Even still, POS malware remains a “severe threat” for businesses and individuals where credit cards represent the primary payment processing mechanism, Shelekhov and Khamchiev note. “One such country is the USA, which remains a desirable target for threat actors who seek to steal magstripe dumps,” they added.
There are things businesses can do to thwart POS malware infections. Implementing a strict password policy tops the list, followed by installing software updates promptly — no major surprises there. They also suggest companies use network defense products, firewalls, and whitelisting to keep intruders out.
Which is all a nice way of saying: secure that remote desktop access. ®