Found by the Trend Micro team, the malware was picked up on security scanners for the first time around January 28, 2017. Nevertheless, the newly untainted evidence revealed that MajikPOS infected systems between August and November 2016 for the first time.
According to researchers, the malware creators scanned for open VNC and RDP ports and used brute-force attacks to guess weak credentials.
Upon breaching one of these random networks, they downloaded and installed MajikPOS. For downloading the malware, Trend Micro states that the attackers used different techniques, ranging from VNC, RDP, RAT access, command-line FTP, and even a modified version of Ammyy Admin remote control software package.
After this, the malware gathered information on each victim, and using modules specific to RATs, enabled crackers to scan for local computers handling financial credentials. When attackers found workstations which were used for handling POS data, the MajikPOS malware would download a memory-deleting module that would monitor the device's RAM for anything that remotely looked like financial data.
This memory scraping module gathered payment card data entered in the POS software and would send this information to its C&C server.
MajikPOS, which is written in .NET, is not the first POS malware to feature a modular design, which has become very popular with POS malware in the past year. Other malwares such as the FastPOS, Gorynych and ModPOS malware strains feature a similar modular style.
In October 2016, Guardicore identified Trojan.sysscan, a trojan that operated very similarly to MajikPOS, however, Trojan.sysscan was coded in Delphi, not .NET.