{
	"id": "31a847fe-dd62-4efb-90fd-b1640b1a2138",
	"created_at": "2026-04-06T00:11:53.012464Z",
	"updated_at": "2026-04-10T03:31:46.649421Z",
	"deleted_at": null,
	"sha1_hash": "581bc7f5cab47de53de0eef2150b24cc5770b435",
	"title": "MajikPOS Uses PoS Malware, RATs for Malicious Tricks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 72474,
	"plain_text": "MajikPOS Uses PoS Malware, RATs for Malicious Tricks\r\nBy By: Cyber Safety Solutions Team Mar 15, 2017 Read time: 4 min (1181 words)\r\nPublished: 2017-03-15 · Archived: 2026-04-05 13:22:22 UTC\r\nWe’ve uncovered a new breed of point-of-sale (PoS) malware currently affecting businesses across North America\r\nand Canada: MajikPOS (detected by Trend Micro as TSPY_MAJIKPOS.A). Like a lot of other PoS malware,\r\nMajikPOS is designed to steal information, but its modular approach in execution makes it distinct. We estimate\r\nthat MajikPOS’s initial infection started around January 28, 2017.\r\nWhile other PoS malware FastPOS (its updated version), Gorynych and ModPOS also feature multiple\r\ncomponents with entirely different functions like keylogging, MajikPOS’s modular tack is different. MajikPOS\r\nneeds only another component from the server to conduct its RAM scraping routine.\r\nMajikPOS is named after its command and control (C\u0026C) panel that receives commands and sends exfiltrated\r\ndata. MajikPOS’s operators use a combination of PoS malware and remote access Trojan (RAT) to attack their\r\ntargets, to daunting effects. MajikPOS is a reflection of the increasing complexity that bad guys are predicted to\r\nemploypredictions in their malware to neuter traditional defenses.\r\nEntry Point and Attack Chain\r\nFeedback from our Smart Protection Network™ enabled us to determine the methods the bad guys used to illicitly\r\ngain access to the victims’ endpoints. Among them are Virtual Network Computing (VNC) and Remote Desktop\r\nProtocol (RDP), poorly secured by easy-to-guess username and password combinations; and RATs previously\r\ninstalled in the system.\r\nAfter fingerprinting the targets—ascertaining if VNC and RDP services exist and are accessible—attackers will\r\nattempt to gain access using generic credentials or via brute force. The common denominator in the MajikPOS\r\ncompromises we’ve observed involving RATs is the timeline of their infection. The RATs were installed in the\r\nendpoints somewhere between August and November, 2016.\r\nIf the endpoint piques the malefactors’ interest, they use a combination of VNC, RDP, RAT access, command-line\r\nFTP (File Transfer Protocol), and sometimes a modified version of Ammyy Admin—a legitimate, commercially\r\navailable remote administration tool—to install MajikPOS by directly downloading the files usually hosted on\r\nfree file-hosting sites. In the case of Ammyy Admin, its file manager capability is used instead. The modified\r\nversion is sometimes named VNC_Server.exe or Remote.exe.\r\nConfiguration and C\u0026C Communication\r\nMajikPOS contacts its C\u0026C server to register the infected system. Once registered, the server then sends a\r\n“configuration” with three important entries that will be used in later steps.\r\nintelFigure 1: C\u0026C server responds with configuration details after registration\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/\r\nPage 1 of 3\n\nThe C\u0026C panel in these servers is called “Magic Panel”, as shown below:\r\nintelFigure 2: Magic Panel’s login page\r\nRAM-scraping Routine\r\nConhost.exe is the component responsible for RAM scraping (looking for credit card data on the victim’s\r\nmachine). It uses information from the configuration file for this routine.\r\nMajikPOS checks a sizeable range of cards, such as American Express, Diners Club, Discover, Maestro,\r\nMastercard, and Visa. After verifying the credit card’s track data, the information is sent to the C\u0026C server via\r\nHTTP POST, Action=”bin”.\r\nintelFigure 3: Snapshot of a “Magic Dump” shop selling stolen credit card data\r\nOnline Shops for Stolen Credit Card Data\r\nOur foray into one of MajikPOS’s C\u0026C servers, umbpan[.]xyz, led us to more websites with the same registrant,\r\none of which is another Magic Panel. The rest of the websites are “Magic Dump” shops where stolen credit card\r\ninformation is sold.\r\nThe Dump shops currently contain around 23,400 stolen credit card tracks, sold from US $9 to $39 each,\r\ndepending on the type of card. They can also be bought in bulk packages of 25, 50, and 100, priced at $250, $400,\r\nand $700, respectively. Some of these websites were advertised on carding forums as early as February 2017 by a\r\nuser called “MagicDumps”, who has been updating the forums for new dumps based on location—mostly in the\r\nU.S. and Canada.\r\nMajikPOS’s Timeline\r\nHere is a rough timeline of events related to MajikPOS, based on our findings:\r\nintel\r\nOther MajikPOS Tricks\r\nMajikPOS was written using .NET. It’s an uncommon technique, but not unheard of. GamaPOS, discovered in\r\n2015, was the first documented PoS malware to use the .NET framework. MajikPOS, like many of today’s\r\nmalware, uses encrypted communication to make it harder to detect on the network level. It took advantage of\r\nopen RDP ports, similar to other related threats like Operation Black Atlas.\r\nWe also spotted instances where MajikPOS’s operators utilized commonly used lateral movement hacking tools.\r\nThis can be an indication of their attempts to further access the victim’s network. In separate incidents, we saw a\r\ncommand-line tool abused to deploy MajikPOS, along with other PoS malware. MajikPOS is also notable with\r\nhow it tries to hide by mimicking common file names in Microsoft Windows.\r\nMitigation\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/\r\nPage 2 of 3\n\nProperly configured chip-and-pin credit cards with end-to-end encryption (EMVs) should be unaffected by this\r\nthreat. Unfortunately, terminals that don’t support them are at risk to threats like MajikPOS.\r\nWhile the U.S. has adopted EMVs—thanks to the implementation of the EMV Liability Shift last October 2015—\r\nthe transition has been a challenge. From July 2015 to June 2016, the U.S. lagged behind in terms of EMV-based\r\ntransactions. While businesses and consumers across the country are increasingly deploying and using chip-based\r\nPoS terminals, many merchants, for instance, still haven’t implemented the PIN part of the chip-and-PIN process.\r\nAlthough the use of EMV Chip-and-PIN credit cards is not a silver bulletnews- cybercrime-and-digital-threats,\r\nEMVs are still a more secure alternativenews article compared to magnetic stripe-based credit cards that are most\r\naffected by PoS malware like MajikPOS. In fact, MasterCardnews article and Visa reported a decline in credit\r\ncard fraud since utilizing EMV-enabled cards and PoS systems.\r\nIt would also be useful to take note of a good PoS Defense Model. To further mitigate MajikPOS, it’s\r\nrecommended to properly secure remote access functionalities like remote desktops and VNC, especially when\r\nthese expose the host or system to the internet. For infosec professionals and IT/system administrators who protect\r\ntheir organization’s endpoints, consulting the appropriate documentation for securing Remote Desktop and VNC\r\nis a good place to start.\r\nTrend Micro Solutions\r\nEndpoint application controlproducts or whitelisting can be employed to reduce attack exposure by ensuring only\r\nupdates associated with whitelisted applications can be installed. Trend Micro’s OfficeScanproducts™ has many\r\nsecurity features including Behavior Monitoring, which can be used to detect these names (csrss.exe and\r\nconhost.exe) by the event, “Duplicated System File”. It can also detect and prevent other malicious indicators like\r\nRATs. Trend Micro’s Deep Discoveryproducts Inspector can be used to determine attempts to perform lateral\r\nmovement and possible brute-force activity. MajikPOS’s C\u0026C traffic is already blocked by Trend Micro™ Web\r\nReputation Services.\r\nTrend Micro’s advanced endpoint solutions such as Trend Micro™ Smart Protection Suitesproducts, and Trend\r\nMicro™ Worry-Freeworry free services suites™ Business Securityworry free services suites provide both\r\ndetection and blocking of all the relevant, malicious files and C\u0026C traffic. Implementing application control in\r\nPoS devicesproducts also significantly mitigates similar attacks by ensuring that only whitelisted applications are\r\nallowed to execute. TippingPoint customers are protected from this threat with the following ThreatDV filter:\r\n27432: HTTP: TSPY_MAJIKPOS.A Checkin\r\n \r\nLearn more about our analysis of MajikPOS in this technical brief—its Indicators of Compromise (IoCs), an in-depth look into its attack chain and malicious routines, and how the stolen data are sold in underground forums\r\nand websites.\r\nSource: http://blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/"
	],
	"report_names": [
		"majikpos-combines-pos-malware-and-rats"
	],
	"threat_actors": [
		{
			"id": "5c457d56-6078-4a86-ac5c-e3e91fa278e7",
			"created_at": "2022-10-25T16:07:23.934665Z",
			"updated_at": "2026-04-10T02:00:04.795018Z",
			"deleted_at": null,
			"main_name": "Operation Black Atlas",
			"aliases": [],
			"source_name": "ETDA:Operation Black Atlas",
			"tools": [
				"Alina POS",
				"BlackPOS",
				"Diamond Fox",
				"DiamondFox",
				"FrameworkPOS",
				"Gorynch",
				"Gorynych",
				"Kaptoxa",
				"MMon",
				"ModPOS",
				"NewPosThings",
				"POSWDS",
				"Reedum",
				"alina_eagle",
				"alina_spark",
				"aline_joker",
				"katrina",
				"straxbot"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434313,
	"ts_updated_at": 1775791906,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/581bc7f5cab47de53de0eef2150b24cc5770b435.pdf",
		"text": "https://archive.orkl.eu/581bc7f5cab47de53de0eef2150b24cc5770b435.txt",
		"img": "https://archive.orkl.eu/581bc7f5cab47de53de0eef2150b24cc5770b435.jpg"
	}
}