Treasure trove. Alive and well point-of-sale malware

Point-of-sale (POS) malware is a type of malicious software designed to infect POS terminals for the purpose of stealing payment data stored on magnetic stripes (magstripes) on the back of bank cards. In recent years, this type of malware has become less popular due to the protection mechanisms embedded in modern credit card processing systems in most countries. But it’s still alive. And it still represents a severe threat for individuals and businesses in regions where credit cards with magstripe are used as the main payment processing mechanism. One such country is the USA, which remains a desirable target for threat actors who seek to steal magstripe dumps.

On April 19, 2022, the Group-IB Threat Intelligence identified a Command and Control (C2) server of the POS malware called MajikPOS. The analysis of C&C revealed that it was poorly configured and the way it had been developed provided an ability to extract stolen credentials for further analysis. Group-IB Threat Intelligence experts analyzed the server and established that it also hosts a C2 administrative panel of another POS malware called Treasure Hunter, which is also used to collect compromised credit card data. After analyzing the malicious infrastructure, Group-IB researchers retrieved information about the infected devices and the credit cards compromised as a result of this campaign. Since at least February 2021, the operators have stolen more than 167,000 payment records (as of September 8, 2022), mainly from the US. According to Group-IB’s estimates, the operators could make as much as $3,340,000 if they simply decide to sell the compromised card dumps on underground forums.

At the time of writing this blog, the panel remains active. As soon as we discovered it, the information was shared with a US-based financial threat-sharing organization and law enforcement agencies within the unit.

POS malware has become a tool that is rarely used, largely as a result of evolving security measures implemented in modern POS equipment. More and more threat actors in the carding industry are switching to JavaScript sniffers to collect card text data (bank card numbers, expiration dates, names of owners, addresses, CVVs) from eCommerce websites. Few cyber criminals are involved in collecting dumps (data stored on magnetic stripes on bank cards). The C2 server that hosted the panels for the two POS malware strains discovered by Group-IB stands out on account of the considerable collection of compromised payment records.

In this blog post, the Group-IB Threat Intelligence team delved deep into the analysis of malware infrastructure and the information compromised as a result of the activity of the MajikPOS and Treasure Hunter samples discovered on the C2. In line with our mission to fight against cybercrime, we are publishing this report that could be particularly useful for anti-fraud analysts, threat intelligence researchers, and system administrators for POS devices, who can immediately leverage the information and mitigate the threat.

Due to the protection mechanisms in place within the payment processing industry, POS malware has some distinctive features and limitations.

One such mechanism is data encryption implemented during major phases of the payment processing. Decryption occurs only in the Random Access Memory (RAM) of the PoS device, where sensitive payment details are stored in plain text. This has made RAM the primary target for POS malware. The process of exfiltrating sensitive card payment details is called RAM scraping.

Almost all POS malware strains have a similar card dump extraction functionality, but different methods for maintaining persistence on infected devices, data exfiltration and processing. Let’s take a closer look at the profiles of MajikPOS and Treasure Hunter.

On July 18, 2019, an announcement about the sale of the source code for MajikPOS (aka MagicPOS) was posted on the underground forum "exploit[.]in" by the user cartonash. The threat actors also offered to sell the source code of a shop used to sell dumps collected by the malware.

Ever since then, MajikPOS has been circulating on the DarkWeb, which makes it hard to attribute it to a particular threat actor.

Based on the artifacts obtained while analyzing the discovered malicious infrastructure, Group-IB researchers concluded that the malware operators had initially used a variant of Treasure Hunter, but later augmented their arsenal with more advanced malware, namely MajikPOS.

This addition could be due to the fact that MajikPOS had been released later and had additional features such as a more visually appealing control panel, an encrypted communication channel with C2, more structured logs, and more. MajikPOS database tables contain information about the infected device’s geolocation, operation system name, and hardware identification number. Conversely, Treasure Hunter logs mostly contain records about the processes running in an operating system or device from which the data was stolen, along with their names.

The typical kill chain of an attack involving MajikPOS starts with scanning for open and poorly secured VNC (Virtual Network Computing) and RDP (Remote Desktop Protocol) ports. When such assets are identified, the attackers then brute-force their way into the system. Access to infected machines can sometimes be purchased from initial access brokers on underground forums. MajikPOS collects information about each victim and uses various modules to scan for machines that host payment PoS records.

The Treasure Hunter malware command and control panel was also found to be running on the same server. Treasure Hunter is a POS malware that was first detected in 2014. Its main feature is RAM scraping.

The initial kill chain phases are similar to MajikPOS. After infecting a POS terminal, the malware enumerates the running processes, extracts all available payment card information from the memory, and forwards this information to a C2.

“Treasure Hunter” was named after a specific string in its binary:

Some samples contain a string referencing version 0.1:

Treasure Hunter was developed by a threat actor with the nickname Jolly Roger. Jolly Roger is known for developing malware for a group called “BearsInc”, which has been operating an underground forum for stolen payment records. The malware was never a widespread strain and was most likely used by this group only to gather payment card details traded on their forum until its source code was leaked.

The source code of Treasure Hunter was also leaked on a top-tier Russian-speaking underground forum, along with the graphical user interface builder and administrator panel.

As mentioned above, both malware strains have been distributed on underground forums such as “Exploit” or “XSS,” and they are available for purchase to anyone interested.

The initial point of the analysis was a C2 server discovered by the Group-IB Threat Intelligence on April 19, 2022:

While investigating further, the Group-IB Botnet Monitoring team discovered a second malware panel running on this host, which is used to operate another POS malware strain called Treasure Hunter.

Both these malware panels contain information about stolen dumps and infected POS devices. During the investigation, Group-IB specialists analyzed around 77,400 unique card dumps from the MajikPOS panel and about 90,000 from the Treasure Hunter panel. Given that the malware remains active at the time of writing this blog, the number of victims keeps growing. The Group-IB Team shared its findings with a US-based financial threat-sharing organization and LE within the unit.

Most of the stolen cards from the MajikPOS malware panel were issued by US banks.

The analysis revealed that most POS terminals infected with MajikPOS are also located in the US. The distribution of infected devices by state/city (identified by their IP addresses) is shown below.

The Treasure Hunter panel also contains mainly US-issued payment records.

The geographical distribution of infected devices by state/city can be found below.

Most POS devices infected with Treasure Hunter were compromised in 2021. In 2022, however, the threat actors started using MajikPOS, and most of the devices infected since the beginning of 2022 were compromised using this strain.

According to Group-IB Threat Intelligence data, the market for compromised card dumps between April 2021 and April 2022 totaled $908,713,251. Given how rare they are and for how many various fraudulent activities they can be used for, card dumps are usually more expensive than card text data (aka CC). The average price for one card dump was $20.

It is unknown whether the dumps collected by the operators behind the campaign are being sold. According to Group-IB’s estimates, however, if the threat actors were to sell the stolen dumps underground, they could make up to $3,340,000.

POS malware has become less attractive for threat actors in recent years due to some of its limitations and the security measures implemented within the card payment industry.

Nevertheless, as our research shows, it remains a significant threat to the payment industry as a whole and to separate businesses that have not yet implemented the latest security practices. It is too early to write off POS malware.

Although a dump itself cannot be used to make online purchases, fraudsters who buy such data can cash out stolen records. If the card-issuing authority fails to detect the breach promptly, criminals are able to produce cloned cards (“white plastic“) and withdraw money from ATMs or use the cloned cards for illicit in-person purchases. By constantly monitoring underground forums for compromised personal and payment records belonging to their customers, banks and financial organizations can quickly block stolen cards and mitigate risks and further damage.

Group-IB products and experts can identify and mitigate such threats at any stage, including preventing initial access using the Group-IB Managed XDR and mitigating risks using the Group-IB Threat Intelligence system.

Below are detection reports of MajikPOS and Treasure Hunter samples generated by Group-IB Managed XDR.

In the case of POS malware, it is possible to obtain IOCs, their descriptions, a technical analysis, intelligence from underground sources, compromised credit cards, and infected devices (provided to the affected threat intelligence customers only), and even tools that help research such threats and investigate the malicious infrastructure independently.

In line with Group-IB's mission of fighting cybercrime, we will continue to explore cybercriminals' methods, tools, and tactics. We will also continue to inform and warn targeted organizations worldwide. We always strive to ensure that organizations under attack are notified as quickly as possible to help reduce potential damage. We also consider it our responsibility to share our findings with the cybersecurity community and encourage researchers to study advanced threats, share data, and use our technologies to combat cybercrime — together.

If you are interested in what we do and want to become an expert in the same field, you can take our Digital Forensics, Incident Response, and Threat Intelligence training courses. We also welcome applications to join the Group-IB team. Please check our vacancies on the website.