During a security audit conducted by Group-IB on April 19, 2022, a C2 server for the POS malware was
MajikPOS POS malware is the successor of Treasure Hunter (aka TREASUREHUNT). Since 2014, Treasure Hunter has remained under the radar of security researchers. While in 2018, the source code of Treasure Hunter got leaked.
“For the purpose of avoiding detection, MajikPOS is written in .NET and communicates with its server via an encrypted channel. There was no sign of sophisticated methods being used by the operators to compromise the targeted victims” Group-IB said in research document that shared with Cyber Security News.
With the help of brute force attacks on VNC and RDP services, threat actors gained access to the PoS systems. MajikPOS malware was sometimes installed using Command-line FTP or moded versions of Ammyy Admin by the threat actors.
A user with the username cartonash posted an announcement on the underground forum “exploit[.]in” regarding the sale of MajikPOS source code on July 18, 2019.
It has been circulating on the DarkWeb ever since that time. In this way, it becomes increasingly difficult to assign it to a particular threat actor or group.
The following things were discovered during the course of the investigation by the Group-IB experts:-
- In the MajikPOS panel, there are 77,400 unique card dumps.
- In the Treasure Hunter panel, there are 90,000 unique card dumps.
The majority of stolen credit cards are issued by banks in the following countries, that we have listed below:-
- The U.S.
- Puerto Rico
- The U.K.
- Costa Rica
It is unknown who is behind this malware or what group of threat actors is behind it. Even at the moment, it is unclear whether the stolen data was sold to third parties for monetary gain or not.
As a result of the theft of these dumps, the threat actors would be able to make up to $3,340,000 if they sold the dumps on underground markets.
It is important for banks to enforce adequate measures of protection in order to avoid severe consequences as a result of this. Threat actors will easily be able to take advantage of this situation to employ cloned cards. Using cloned cards in this way they will be able to perform:-
- Transfer of funds
- Withdrawal of funds
- Unauthorized transactions
However, the limitations of PoS malware have led to its decreased attractiveness to threat actors over the course of the last few years.