alphaspirit - Fotolia
How does the MajikPOS malware evade detection?
A new POS malware downloads a RAM scraper to avoid detection. Expert Nick Lewis explains the tricks MajikPOS uses to target retail terminals and how to defend against it.
Trend Micro Inc. discovered a new type of point-of-sale malware called MajikPOS infecting the POS systems of businesses in the U.S. and Canada. They reported that the POS malware authors used several tricks to escape detection and hide their code. What are these tricks, and what mitigation steps are available for the MajikPOS malware?
New point-of-sale (POS) malware is a dime a dozen, and attackers continue to target POS systems because they continue to be profitable. The constant battle between merchants and their attackers is why endpoint security tools and the PCI Data Security Standards will continue to be critical to protecting consumers.
While it can be difficult for enterprises to secure all of their systems, securing endpoints can be even more challenging for small merchants that rely on outsourced service providers to manage and secure their POS systems. Smaller merchants also often need immediate remote support to keep their businesses in operation, which explains why outsourced service providers have remote access to their POSes, despite the risks.
Trend Micro wrote about the new MajikPOS malware, which is a fairly standard, but highly effective threat. While most POS malware includes a RAM scraper, MajikPOS downloads its RAM scraper, which could help bypass tools that monitor files capable of reading memory on the endpoint. In some cases, Trend Micro reported, MajikPOS malware also used the remote administration tool Ammyy Admin for remote access, which should have triggered an alarm on the endpoint.
Trend Micro offered mitigation recommendations, starting with using whitelisting to allow only approved software to upload updates, as well as using an endpoint security tool with application control functionality and using network-based tools to block the malware and related connections. The company has a specific guide to defending against POS RAM scrapers, as well as a guide to protecting against RAM scrapers.
The most important mitigation for the MajikPOS malware may be to use secure remote access, like that required by PCI DSS, which would prevent the malware from getting on the endpoint remotely, or for the merchant to change to using POS terminals capable of supporting EMV chip and PIN payment cards.