Back to overview

POSsibly black magic: MajikPOS

Cheap Trick: MajikPOS is not that spectacular – at least from a european point of viewKa-ching is a thing of the past

Everyone should be aware of this by now: there are no more offline cash registers. Whether at the petrol station, the grocery store or your favourite Italian restaurant: distribution systems, accounting regulations and – last but not least – cashless payment make it necessary for each and every card reader and cash register to have a permanent network connection. Each point-of-sale is actually an “endpoint of sale”. And like all other endpoints, it these are imminently vulnerable.

POS Malware is a special strain of malicious software, which is specifically targeting such endpoints. MajikPOS belongs to this category.

The “magic” of MajikPOS

According to Trend Micro’s researcher, this malware has the same intentions as other POS malware: exfiltrating data from infected networks.

What distinguishes this specific sample is the modular approach it takes for execution.

“MajikPOS requires only one additional component from the server to start searching the memory for usable information, like credit card scans (RAM scraping). As common among malware, MajikPOS also works with a command-and-control (C&C) server. About the only thing that’s new here is the combination of Remote Access Trojan (RAT) and POS malware.

Draw the curtains: malware enters

Access is usually obtained via inadequately secured VNC or RDP sessions. Commonly used attackvectors are, for example, weak passwords, in case of RDP accompanied by “pass-the-hash” techniques and outdated operating systems. Sometimes attackers also use the remnants of orphaned RATs that are already present on the system and have never been properly removed.

The MajikPOS malware, on the other hand, can be installed using “standard” RATs (common in certain circles). At this point, MajikPOS communicates with its C&C server to register the infected system. Once registered, the server sends a “configuration” with three entries that are used for ram scraping.

Standard malware …. with a fancy cape.

Another rather unusual feature of this POS malware is the fact that it is written in .NET. This is nothing spectacular either, though it is unusual. In addition, the way MajikPOS is looking for data in the RAM is interesting.

Another POS malware using the same framework is GamaPOS from 2015. What is basically best practice in malware by now is that it encrypts all of its communication.

No tour of Europe for now

In Europe this malware is unlikely to cause much damage because the “EMV” system effectively counteracts the methods hijackers use to monetize this particular kind of stolen data.

EMV stands for Europay, Mastercard, Visa, and is safer than conventional magnetic strips (as are common in North America) which store immutable card data only. Here lies the weak point: Since the data on the magnetic strip is static, you can copy it to duplicates. The attackers can basically make a valid credit card, with which they can immediately go shopping.

The microchips embedded in EMC cards also store data, but additionally generate a unique code for each individual transaction. Without the correct chip response, a fake card does not work. In other words, even if a POS is infected, the stolen data is basically useless for cyber criminals.

Avoid lazy tricks in the first place

Of course, this is no reason to let yourself be overrun by POS malware without putting up some resistance. Data from payment systems must be kept as secure as possible – for the sake of compliance alone.

As mentioned before: We are talking about endpoints in principle. Therefore, very similar rules apply for the protection of points of sale. Current Endpoint Protection Solutions can effectively stop POS malware (a detailed test of Next Generation Endpoint Protection Solutions can be found here).

Products like CylanceProtect prevent most of the malware from reaching the system without being removed or quarantined immediately. In addition, typical techniques like Ram Scraping are instantly detected and stopped.

Conclusion:  A rather lame show for experts. But still insightful.

Although the danger in Europe is significantly lower than on the other side of the Atlantic Ocean because of the very secure EMC chip cards: Endpoints ought to be secured. Even if (or more rather: especially if) they happen to be POS systems.

 


https://www.infosecurity-magazine.com/news/majikpos-shows-evolved-cardskimming/

http://blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/

https://www.cylance.com/content/cylance/en_us/blog/cylance-vs-flokibot-pos-malware.html

Image: ©iT-CUBE SYSTEMS AG 2017

Leave a Reply