# MajikPOS Combines PoS Malware and RATs to Pull Off its Malicious Tricks #### TrendLabs Security Intelligence Blog Cyber Safety Solutions Team March 2017 ----- ## Table of Contents ### MajikPOS is a Mishmash of Nefarious Tricks ........................................ 1 Entry Point and Attack Chain ................................................................... 2 RAM-scraping Routine .............................................................................. 5 Online Shops for Stolen Credit Card Data .............................................. 8 Indicators of Compromise ........................................................................ 9 TREND MICRO LEGAL DISCLAIMER The information provided herein is for general information and educational purposes only. It is not intended and should not be construed to constitute legal advice. The information contained herein may not be applicable to all situations and may not reflect the most current situation. Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise. Trend Micro reserves the right to modify the contents of this document at any time without prior notice. Translations of any material into other languages are intended solely as a convenience. Translation accuracy is not guaranteed nor implied. If any questions arise related to the accuracy of a translation, please refer to the original language official version of the document. Any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes. Although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein, Trend Micro makes no warranties or representations of any kind as to its accuracy, currency, or completeness. You agree that access to and use of and reliance on this document and the content thereof is at your own risk. Trend Micro disclaims all warranties of any kind, express or implied. Neither Trend Micro nor any party involved in creating, producing, or delivering this document shall be liable for any consequence, loss, or damage, including direct, indirect, special, consequential, loss of business profits, or special damages, whatsoever arising out of access to, use of, or inability to use, or in connection with the use of this document, or any errors or omissions in the content thereof. Use of this information constitutes acceptance for use in an “as is” condition. ----- ## MajikPOS is a Mishmash of Nefarious Tricks Crooks behind MajikPOS have various tricks up their sleeves. Apart from infecting systems with it, we also spotted instances where common lateral movement tools were detected around the same time they were actively compromising the endpoint with MajikPOS. These tools include: [HKTL_MIMIKATZ, HKTL_FGDUMP, and HKTL_VNCPASSVIEW. We surmise that the bad](https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/hktl_mimikatz) guys attempted to gain further access within the victim’s network. In separate isolated incidents, we also noticed the deployment of MajikPOS via PsExec, a command-line tool that can be used to remotely execute processes on other systems. This may indicate that valid, administrativelevel credentials were used against the host. The attackers also tend to deploy what works or what's convenient, as we’ve also seen them attempt to infect the target host with other PoS [malware such as PwnPOS (TSPY_PWNPOS.SMA), and BlackPOS (TSPY_POCARDL.AI).](http://blog.trendmicro.com/trendlabs-security-intelligence/pwnpos-old-undetected-pos-malware-still-causing-havoc/) One of MajikPOS’s striking functionalities is how it can take two parts to operate: the main component, often called csrss.exe, and conhost.exe, which is in charge of the scraping routine. Only the main component, csrss.exe, is often deployed; if access to the C&C server is blocked, then full infection doesn’t occur and the endpoint is left with a similarly-named system file. We also construe that csrss.exe and conhost.exe are so named as an effort by the MajikPOS’s author to hide the malware, as they mimic common file names in Microsoft Windows. Additionally, MajikPOS opts to use uncommon ports as its C&C channel. We’re not certain why, as the customary approach for malware nowadays is to try blending in within normal user traffic, and use the more commonly utilized HTTP (TCP port 80), or HTTPS (TCP port 443). This technical brief provides an in-depth look into MajikPOS’s attack chain and routines. 1 ----- ## Entry Point and Attack Chain - **_Unsecure VNC and RDP. While port scanning of hosts directly accessible via the_** internet happens all the time (and not all result in a compromise), we observed that targets are initially identified by having open ports related to VNC (like TCP port 5900) and RDP (usually TCP port 3389). - **_Previously installed malicious backdoors, or RATs. Most of the backdoors involved_** have the functionality to acquire information from—and provide remote access to—the endpoint. These RATs can be purchased in the underground, and are otherwise easy to come by. The MajikPOS-infected endpoints we observed would have one or more of the following RATs: ``` o Remcos (BKDR_SOCMER.SM) o SpyGate (BKDR_BLADABI.SMC) o Luminosity Link (BKDR_LUMINOSITY.SM1) o Xtreme (WORM_XTREME.SMM) ## Configuration and C&C Communication ``` MajikPOS contacts its C&C server to register the infected system, along with the local IP address, Hardware ID (HWID), Operating System (OS), and computer name. All communication between client and server is encrypted with AES-ECB with Base64 encoding. _Figure 1: Sample encrypted C&C communication_ 2 ----- _Figure 2: The information after decrypting the C&C communication_ The key used in the sample we analyzed (427f1bf2b91cad1e9a4b7e095d6c83763f1bd50d6b8d515d3dbee9f96ef47097) is: **_@#$%^&*()<>,./;'-==oqwertgnhiopl_** Once registered, the server replies with a configuration file in this format: ok#|# _Figure 3: Server responds with configuration details after registration_ The malware then asks the server to update the executable while passing along the HWID and password—the first data from its configuration. As a result, another file is downloaded from the server, which is saved and executed in the system as “%WinDir%\conhost.exe”. _Conhost.exe is then executed with encrypted arguments. The malware continues to do a task_ request from the server while the downloaded component runs in parallel. As of this time, only “exeupdate” was executed, but code analysis indicates that it can also delete itself from the system using the command “deletebot”. _Figure 4: Malware requests for EXE update_ _Figure 5: Encrypted command-line argument of conhost.exe_ 3 ----- _Figure 6: Decrypted command-line argument of conhost.exe_ _Figure 7: Malware requests for commands_ _Figure 8: “exeupdate” and “deletebot” routines_ The C&C servers are coded within the malware binary, which utilized both domain names and [IP addresses—the domain names were not employing Domain Generation Algorithm (DGA).](http://blog.trendmicro.com/domain-generating-algorithms-dgas/) 4 ----- ## RAM-scraping Routine _Conhost.exe is the component responsible for RAM scraping. It uses information from the_ configuration file for this routine—a whitelist of processes to be skipped when scanning for credit card track data; and regular expressions that verify Track 1 and Track 2 data. PoS malware typically scan the process memory of PoS software, where the credit card data are located; they are also stored on the magnetic stripe tracks (1, 2, and 3). A PoS malware would need to conduct pattern matching on the track data (sometimes only track 2) to identify the credit card dumps in memory. Track 1 contains the credit card number, expiration date, service code, and the cardholder’s name, while Track 2 has the credit card number, expiration date, and service code. Processes not in the whitelist are first scanned for strings with delimiters, such as ‘=’ and ‘^’ and beginning with ‘B’ or ‘;’ and ends with ‘?’, to make the routine faster. Depending on the result, it will further verify if the track data is valid via regex matching: - Track 1: ([3-6]{1}\d{14,15}\^[a-zA-Z/. ]{0,50}\^\d{12,22}) - Track2: [3-6]{1}\d{14,15}=\d{4}(101|121|126|201|206|220|221|226|521|606|620)\d{5,15} _[Figure 9: Regex used to match Track 1 data (visualization by REGEXPER)](https://regexper.com/)_ 5 ----- _Figure 10: Regex used to match Track 2 data (visualization by REGEXPER)_ [Magnetic stripe cards store this information in a format defined by ISO/IEC 7813:2006, where it](https://www.iso.org/standard/43317.html) is possible to determine the credit card issuer (i.e., Visa, MasterCard, American Express, etc.) through the primary account number (PAN), and card type (service code). These ascertain the card’s restrictions, and where it can be used. MajikPOS checks the first digit which must be a value from 3 to 6. MajikPOS also checks the service codes and delimiters “=” or “^” in their proper places. While it uses regular expressions to match a valid card number, it does not use Luhn algorithm (a checksum formula) to validate the credit card number. 6 ----- After verifying the track data, the information is sent to the C&C server via HTTP POST, Action=”bin”: _Figure 11: MajikPOS sends track data via HTTP POST_ Delving into the conhost.exe’s code, we found that conhost.exe declares .NET classes corresponding to the backdoor commands of the malware while communicating to its C&C server. Interestingly, only the Track and SerializedTracks were used by conhost.exe among other classes present. The other classes/commands were used by its main component. It appears conhost.exe is designed as such so the main and RAM-scraping components can be combined into one module. Here is a summary of the backdoor commands: **Command** **Description** **Parameter** _ExeUpdate_ Download an updated HWID copy of the malware Password Action _GetTask_ Request for additional HWID tasks from C&C server Action _Register_ Reports the infected ExternalIp machine information to LocalIP the C&C server HWID OS Pcname Action _Serialized Tracks_ Reports the scraped Tracklist:bin,Procname credit card information to HWID the C&C server Action _DeleteBot_ Removes the malware from the infected machine _Figure 12: Description of the backdoor commands_ |Command|Description|Parameter| |---|---|---| |ExeUpdate|Download an updated copy of the malware|HWID Password Action| |GetTask|Request for additional tasks from C&C server|HWID Action| |Register|Reports the infected machine information to the C&C server|ExternalIp LocalIP HWID OS Pcname Action| |Serialized Tracks|Reports the scraped credit card information to the C&C server|Tracklist:bin,Procname HWID Action| |DeleteBot|Removes the malware from the infected machine|| 7 ----- ## Online Shops for Stolen Credit Card Data The peddler, who goes by the handle “MAGICDUMPS”, had specific instruction to “work exactly as instructed after you buy the dumps”. This can possibly refer to the location (city, area code, and ZIP code) where the card must be used to ensure “the highest percentage of approval rate”. This can also suggest why the “magic dumps” shop indicates the country, state, city, and ZIP code. These dumps can also be searched by location. _Figure 13: MAGICDUMPS advertising stolen credit card data_ _Figure 14: MAGICDUMPS’s instructions on how to use the stolen data_ 8 ----- Here are the domains we found selling credit card data stolen by MajikPOS, based on our research on one of the malware’s C&C servers. The name “SwipeIT” curiously coincides with [our research on another PoS malware, FastPOS (TSPY_FASTPOS).](http://blog.trendmicro.com/trendlabs-security-intelligence/fastpos-quick-and-easy-credit-card-theft/) **Domain Name** **Create Date** [swipe[.]wtf](https://whois.domaintools.com/swipe.wtf) 12/4/2016 [swipeit[.]pro](https://whois.domaintools.com/swipeit.pro) 12/5/2016 [mcdumps[.]pro](https://whois.domaintools.com/mcdumps.pro) 12/21/2016 [mcdumps[.]top](https://whois.domaintools.com/mcdumps.top) 12/21/2016 [umbpan[.]pw](https://whois.domaintools.com/umbpan.pw) 1/16/2017 [umbpan[.]xyz](https://whois.domaintools.com/umbpan.xyz) 1/16/2017 magicdumps[.]biz 1/19/2017 [magicdumps[.]one](https://whois.domaintools.com/magicdumps.one) 1/19/2017 magicdumps[.]pw 1/19/2017 [magicdumps[.]trade](https://whois.domaintools.com/magicdumps.trade) 1/19/2017 [magicdumps[.]pro](https://whois.domaintools.com/magicdumps.pro) 1/30/2017 [magicdumps[.]review](https://whois.domaintools.com/magicdumps.review) 1/30/2017 [magicdumps[.]space](https://whois.domaintools.com/magicdumps.space) 1/30/2017 [magicdumps[.]xyz](https://whois.domaintools.com/magicdumps.xyz) 1/30/2017 [magicdumps[.]top](https://whois.domaintools.com/magicdumps.top) 2/1/2017 _Figure 15: Domains of the “Magic Dump” shops_ ## Indicators of Compromise **_File Hashes, detected as TSPY_MAJIKPOS.A (SHA-256)_** 427f1bf2b91cad1e9a4b7e095d6c83763f1bd50d6b8d515d3dbee9f96ef47097 283d1780fbd96325b19b7f273343ba8f8a034bd59f92dbf9b35e3a000840a3b4 14e5efcf0ba8773bcaf1c1b0517a614af68caa67902ee9f26a2a07a2ade58efb 25e4d8354c882eaea94b52039a96cc6d969a2dec8486557351cfa1d05c3b8984 4bbc0afc598c197f137d0617de4bd1ab8c6eef751accb83a5bb6ea02e6c047c0 **_C&C Servers_** umbpan[.]xyz/80okg80/ 195[.]22 [.]126[.]234:449/old1/ 193[.]169[.]252[.]102:449/1np3r0t/ umbpan[.]pw:8880/o4m3kw/ umbpan[.]pw:8880/o2kf8gp/ |Domain Name|Create Date| |---|---| |swipe[.]wtf|12/4/2016| |swipeit[.]pro|12/5/2016| |mcdumps[.]pro|12/21/2016| |mcdumps[.]top|12/21/2016| |umbpan[.]pw|1/16/2017| |umbpan[.]xyz|1/16/2017| |magicdumps[.]biz|1/19/2017| |magicdumps[.]one|1/19/2017| |magicdumps[.]pw|1/19/2017| |magicdumps[.]trade|1/19/2017| |magicdumps[.]pro|1/30/2017| |magicdumps[.]review|1/30/2017| |magicdumps[.]space|1/30/2017| |magicdumps[.]xyz|1/30/2017| |magicdumps[.]top|2/1/2017| 9 ----- Trend Micro Incorporated, a global leader in security software, strives to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses and governments provide layered content security to protect information on mobile devices, endpoints, gateways, servers and the cloud. All of our solutions are powered by cloud-based global threat intelligence, the Trend Micro™ Smart Protection Network™, and are supported by over 1,200 threat experts around the globe. For more information, visit www.trendmicro.com. ©2017 by Trend Micro, Incorporated. All rights reserved. Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. 10101 N. De Anza Blvd. Cupertino, CA 95014 U.S. toll free: 1 +800.228.5651 Phone: 1 +408.257.1500 Fax: 1 +408.257.2003 -----