ENGLISH
ENGLISH
24.10.2022

Treasure trove. Alive and well point-of-sale malware

Analysis of months-long MajikPOS and Treasure Hunter campaign that infected dozens of terminals
Nikolay Shelekhov
Head of the Group-IB Botnet Monitoring team, Threat Intelligence Unit
Said Khamchiev
Analyst at the Group-IB Botnet Monitoring team, Threat Intelligence Unit

Introduction

Point-of-sale (POS) malware is a type of malicious software designed to infect POS terminals for the purpose of stealing payment data stored on magnetic stripes (magstripes) on the back of bank cards. In recent years, this type of malware has become less popular due to the protection mechanisms embedded in modern credit card processing systems in most countries. But it’s still alive. And it still represents a severe threat for individuals and businesses in regions where credit cards with magstripe are used as the main payment processing mechanism. One such country is the USA, which remains a desirable target for threat actors who seek to steal magstripe dumps.

On April 19, 2022, the Group-IB Threat Intelligence identified a Command and Control (C2) server of the POS malware called MajikPOS. The analysis of C&C revealed that it was poorly configured and the way it had been developed provided an ability to extract stolen credentials for further analysis. Group-IB Threat Intelligence experts analyzed the server and established that it also hosts a C2 administrative panel of another POS malware called Treasure Hunter, which is also used to collect compromised credit card data. After analyzing the malicious infrastructure, Group-IB researchers retrieved information about the infected devices and the credit cards compromised as a result of this campaign. Since at least February 2021, the operators have stolen more than 167,000 payment records (as of September 8, 2022), mainly from the US. According to Group-IB’s estimates, the operators could make as much as $3,340,000 if they simply decide to sell the compromised card dumps on underground forums.

At the time of writing this blog, the panel remains active. As soon as we discovered it, the information was shared with a US-based financial threat-sharing organization and law enforcement agencies within the unit.

POS malware has become a tool that is rarely used, largely as a result of evolving security measures implemented in modern POS equipment. More and more threat actors in the carding industry are switching to JavaScript sniffers to collect card text data (bank card numbers, expiration dates, names of owners, addresses, CVVs) from eCommerce websites. Few cyber criminals are involved in collecting dumps (data stored on magnetic stripes on bank cards). The C2 server that hosted the panels for the two POS malware strains discovered by Group-IB stands out on account of the considerable collection of compromised payment records.

In this blog post, the Group-IB Threat Intelligence team delved deep into the analysis of malware infrastructure and the information compromised as a result of the activity of the MajikPOS and Treasure Hunter samples discovered on the C2. In line with our mission to fight against cybercrime, we are publishing this report that could be particularly useful for anti-fraud analysts, threat intelligence researchers, and system administrators for POS devices, who can immediately leverage the information and mitigate the threat.


Key findings
Group-IB Threat Intelligence discovered a C2 server that hosted administrative panels of Treasure Hunter and MajikPOS POS malware.
Group-IB Botnet Monitoring team identified POS devices infected with MajikPOS and Treasure Hunter.
We analyzed more than 167,000 mainly US-issued compromised credit card dumps.
Malware remains active as of September, 2022.
According to Group-IB Threat Intelligence data, the market for compromised card dumps between April 2021 and April 2022 totaled $908,713,251. The average price for one card dump was $20.
If the threat actors were to sell the stolen dumps underground, they could make up to $3,340,000.

How POS malware works

Due to the protection mechanisms in place within the payment processing industry, POS malware has some distinctive features and limitations.

One such mechanism is data encryption implemented during major phases of the payment processing. Decryption occurs only in the Random Access Memory (RAM) of the PoS device, where sensitive payment details are stored in plain text. This has made RAM the primary target for POS malware. The process of exfiltrating sensitive card payment details is called RAM scraping.

Almost all POS malware strains have a similar card dump extraction functionality, but different methods for maintaining persistence on infected devices, data exfiltration and processing. Let’s take a closer look at the profiles of MajikPOS and Treasure Hunter.

MajikPOS

MajikPOS malware appeared in early 2017, when it was first seen targeting POS devices across the US and Canada.
Screenshot of MajikPOS profile from Group-IB Threat Intelligence
On July 18, 2019, an announcement about the sale of the source code for MajikPOS (aka MagicPOS) was posted on the underground forum "exploit[.]in" by the user cartonash. The threat actors also offered to sell the source code of a shop used to sell dumps collected by the malware.
Screenshot of the announcement from Group-IB Threat Intelligence
Ever since then, MajikPOS has been circulating on the DarkWeb, which makes it hard to attribute it to a particular threat actor.

Based on the artifacts obtained while analyzing the discovered malicious infrastructure, Group-IB researchers concluded that the malware operators had initially used a variant of Treasure Hunter, but later augmented their arsenal with more advanced malware, namely MajikPOS.

This addition could be due to the fact that MajikPOS had been released later and had additional features such as a more visually appealing control panel, an encrypted communication channel with C2, more structured logs, and more. MajikPOS database tables contain information about the infected device’s geolocation, operation system name, and hardware identification number. Conversely, Treasure Hunter logs mostly contain records about the processes running in an operating system or device from which the data was stolen, along with their names.
Screenshot of logs from the Treasure Hunter panel (“tracks” table)
The typical kill chain of an attack involving MajikPOS starts with scanning for open and poorly secured VNC (Virtual Network Computing) and RDP (Remote Desktop Protocol) ports. When such assets are identified, the attackers then brute-force their way into the system. Access to infected machines can sometimes be purchased from initial access brokers on underground forums. MajikPOS collects information about each victim and uses various modules to scan for machines that host payment PoS records.

Treasure Hunter

The Treasure Hunter malware command and control panel was also found to be running on the same server. Treasure Hunter is a POS malware that was first detected in 2014. Its main feature is RAM scraping.
Screenshot Treasure Hunter malware profile from Group-IB Threat Intelligence
The initial kill chain phases are similar to MajikPOS. After infecting a POS terminal, the malware enumerates the running processes, extracts all available payment card information from the memory, and forwards this information to a C2.

“Treasure Hunter” was named after a specific string in its binary:
C:\Users\Admin\documents\visual studio2012\Projects\treasureHunter\Release\treasureHunter.pdb
Some samples contain a string referencing version 0.1:
TreasureHunter version 0.1 Alpha, created by Jolly Roger
    	(jollyroger@prv[.]name) for BearsInc. Greets to Xylitol and co.
Treasure Hunter was developed by a threat actor with the nickname Jolly Roger. Jolly Roger is known for developing malware for a group called “BearsInc”, which has been operating an underground forum for stolen payment records. The malware was never a widespread strain and was most likely used by this group only to gather payment card details traded on their forum until its source code was leaked.

The source code of Treasure Hunter was also leaked on a top-tier Russian-speaking underground forum, along with the graphical user interface builder and administrator panel.
Screenshot from Group IB Threat Intelligence
As mentioned above, both malware strains have been distributed on underground forums such as “Exploit” or “XSS,” and they are available for purchase to anyone interested.

Analysis of malicious infrastructure

The initial point of the analysis was a C2 server discovered by the Group-IB Threat Intelligence on April 19, 2022:

While investigating further, the Group-IB Botnet Monitoring team discovered a second malware panel running on this host, which is used to operate another POS malware strain called Treasure Hunter.
Screenshot of the login page for Treasure Hunter malware panel
Both these malware panels contain information about stolen dumps and infected POS devices. During the investigation, Group-IB specialists analyzed around 77,400 unique card dumps from the MajikPOS panel and about 90,000 from the Treasure Hunter panel. Given that the malware remains active at the time of writing this blog, the number of victims keeps growing. The Group-IB Team shared its findings with a US-based financial threat-sharing organization and LE within the unit.

Most of the stolen cards from the MajikPOS malware panel were issued by US banks.
The analysis revealed that most POS terminals infected with MajikPOS are also located in the US. The distribution of infected devices by state/city (identified by their IP addresses) is shown below.
The Treasure Hunter panel also contains mainly US-issued payment records.
The geographical distribution of infected devices by state/city can be found below.
Most POS devices infected with Treasure Hunter were compromised in 2021. In 2022, however, the threat actors started using MajikPOS, and most of the devices infected since the beginning of 2022 were compromised using this strain.

According to Group-IB Threat Intelligence data, the market for compromised card dumps between April 2021 and April 2022 totaled $908,713,251. Given how rare they are and for how many various fraudulent activities they can be used for, card dumps are usually more expensive than card text data (aka CC). The average price for one card dump was $20.
It is unknown whether the dumps collected by the operators behind the campaign are being sold. According to Group-IB’s estimates, however, if the threat actors were to sell the stolen dumps underground, they could make up to $3,340,000.

Conclusion and recommendations

POS malware has become less attractive for threat actors in recent years due to some of its limitations and the security measures implemented within the card payment industry.

Nevertheless, as our research shows, it remains a significant threat to the payment industry as a whole and to separate businesses that have not yet implemented the latest security practices. It is too early to write off POS malware.

Although a dump itself cannot be used to make online purchases, fraudsters who buy such data can cash out stolen records. If the card-issuing authority fails to detect the breach promptly, criminals are able to produce cloned cards (“white plastic“) and withdraw money from ATMs or use the cloned cards for illicit in-person purchases. By constantly monitoring underground forums for compromised personal and payment records belonging to their customers, banks and financial organizations can quickly block stolen cards and mitigate risks and further damage.
Group-IB researchers have prepared a list of recommendations to mitigate the threat and to help better detect MajikPOS and Treasure Hunter malware.
Implement a strict password policy
Install software updates in a timely manner
Apply network defense solutions
Use whitelisting and firewalls
Group-IB products and experts can identify and mitigate such threats at any stage, including preventing initial access using the Group-IB Managed XDR and mitigating risks using the Group-IB Threat Intelligence system.

Below are detection reports of MajikPOS and Treasure Hunter samples generated by Group-IB Managed XDR.
Group-IB Threat Intelligence equips customers with:

Strategic intelligence

  • Regular general analytical reports about threats
  • Personalized analytical reports about specific events, as requested


Tactical intelligence

  • TTP used by all types of attackers (cybercrime groups, APT groups, hacktivists)
  • Compromised emails, bank cards, accounts for different services, etc.


Operational intelligence

  • Information about phishing, DDoS attacks, defacement attacks, etc.
  • Intel data from the Darknet, instant messengers, etc.


Technical intelligence

  • Indicators of compromise
  • Information about TOR, botnet proxies, suspicious IP addresses
In the case of POS malware, it is possible to obtain IOCs, their descriptions, a technical analysis, intelligence from underground sources, compromised credit cards, and infected devices (provided to the affected threat intelligence customers only), and even tools that help research such threats and investigate the malicious infrastructure independently.

In line with Group-IB's mission of fighting cybercrime, we will continue to explore cybercriminals' methods, tools, and tactics. We will also continue to inform and warn targeted organizations worldwide. We always strive to ensure that organizations under attack are notified as quickly as possible to help reduce potential damage. We also consider it our responsibility to share our findings with the cybersecurity community and encourage researchers to study advanced threats, share data, and use our technologies to combat cybercrime — together.

If you are interested in what we do and want to become an expert in the same field, you can take our Digital Forensics, Incident Response, and Threat Intelligence training courses. We also welcome applications to join the Group-IB team. Please check our vacancies on the website.
Try Group-IB Threat Intelligence now!
Optimize strategic, operational and tactical decision-making with best-in-class cyber threat analytics