Observers from Group-IB discovered a poorly configured server on the Internet used to manage MajikPOS and Treasure Hunter malware. An analysis of the contents of admin panels revealed over 167 thousand unique entries with bank card data that were stolen from 133 PoS terminals, located mainly in the United States.
The owners of the C2 server with mining for the period from February 2021 to September 8, 2022 could not be identified. It is also unknown for what purpose the collection of financial information suitable for cloning cards and withdrawing money through ATMs was carried out - for sale or for personal use.
Based on black market prices, analysts have suggested that the total cost of memory dumps obtained using the two PoS malware could be more than $3.3 million. To date, 11 victims of infection have been identified - legal entities based in the United States. GIB reported its findings to the US facilitator of financial threat intelligence sharing between the private sector, NPOs and law enforcement.
It is noteworthy that at first the attackers used only Treasure Hunter , a RAM scraper known since 2014 , the source code of which had long been leaked to the darknet. At the beginning of this year, a younger malware was added to the arsenal of authors of attacks on PoS terminals (MajikPOS appeared in early 2017 in North America), and it was preferred.
MajikPOS source codes are also available in the network underground (since mid-2019), and infection occurs in the same way as in the case of Treasure Hunter - through scanning VNC and RDP ports and guessing passwords. However, the control panel here is more convenient, the logs are more informative, and C2 communications use encryption.
In total, the researchers analyzed about 77.4 thousand unique dumps made by MajikPOS, and about 90 thousand recorded in the Treasure Hunter console. As it turned out, more than 96% of the compromised cards were issued by American banks.
In recent years, the popularity of PoS malware in the criminal environment has noticeably decreased due to preventive and protective measures taken by the payments industry. For the mass theft of bank card data, web skimmers are increasingly being used, embedded on the websites of merchants.
However, GIB believes that it is too early to discount threats designed for PoS terminals. Such equipment continues to be actively used, and vulnerabilities are periodically found in it that facilitate hacking. PoS attacks, for example, are part of the repertoire of the notorious cyber group FIN7, aka Carbanak.
(c) https://www.anti-malware.ru/news/2022-10-25-114534/39786
The owners of the C2 server with mining for the period from February 2021 to September 8, 2022 could not be identified. It is also unknown for what purpose the collection of financial information suitable for cloning cards and withdrawing money through ATMs was carried out - for sale or for personal use.
Based on black market prices, analysts have suggested that the total cost of memory dumps obtained using the two PoS malware could be more than $3.3 million. To date, 11 victims of infection have been identified - legal entities based in the United States. GIB reported its findings to the US facilitator of financial threat intelligence sharing between the private sector, NPOs and law enforcement.
It is noteworthy that at first the attackers used only Treasure Hunter , a RAM scraper known since 2014 , the source code of which had long been leaked to the darknet. At the beginning of this year, a younger malware was added to the arsenal of authors of attacks on PoS terminals (MajikPOS appeared in early 2017 in North America), and it was preferred.
MajikPOS source codes are also available in the network underground (since mid-2019), and infection occurs in the same way as in the case of Treasure Hunter - through scanning VNC and RDP ports and guessing passwords. However, the control panel here is more convenient, the logs are more informative, and C2 communications use encryption.
In total, the researchers analyzed about 77.4 thousand unique dumps made by MajikPOS, and about 90 thousand recorded in the Treasure Hunter console. As it turned out, more than 96% of the compromised cards were issued by American banks.
In recent years, the popularity of PoS malware in the criminal environment has noticeably decreased due to preventive and protective measures taken by the payments industry. For the mass theft of bank card data, web skimmers are increasingly being used, embedded on the websites of merchants.
However, GIB believes that it is too early to discount threats designed for PoS terminals. Such equipment continues to be actively used, and vulnerabilities are periodically found in it that facilitate hacking. PoS attacks, for example, are part of the repertoire of the notorious cyber group FIN7, aka Carbanak.
(c) https://www.anti-malware.ru/news/2022-10-25-114534/39786
