During a recent investigation the experts at Trustwave encountered a new strain of POS malware dubbed Punkey which presents interesting features.
Malware researchers at Trustwave have detected a new point of sale (PoS) malware dubbed Punkey that was used by criminal crews to compromise payment systems of some organisations.
The experts discovered Punkey during a law enforcement investigation and since its discovery the PoS malware was improved in a significant way by its operators and the researchers discovered three different variants of the agent.
Trustwave speculates that different criminal crews used the Punkey for their campaigns tailoring it for specific targets in the retail industry.
Punkey implements common features of other PoS malware, but experts were surprised by its ability to update and alter its capabilities remotely.
“A second thread has spawned that handles downloading arbitrary payloads from the C&C server, as well as, checking for updates to Punkey itself. This gives Punkey the ability to run additional tools on the system such as executing additional reconnaissance tools or performing privilege escalation. This is a rare feature for POS malware.” reads a blog post published by Trustwave SpiderLabs blog.
The malicious code also implements reconnaissance and hacking abilities.
“This traffic is AES encrypted, base64 encoded, then URL encoded. After reversing the process the data sent looks like this (no, it’s NOT a valid payment card number):”
“This is where the naming fun comes into play! The combination of P(OST)unkey and calling the malware author a punk was just too sweet to pass up.” continues the post.
Data transferred by the Punkey PoS malware to C&C servers includes payment card numbers and data collected by the Keylogger module.
In the following table are listed the principal differences in the operation of Punkey versus the other malware variants.
Since 2013, POS malware is rapidly evolving, the most interesting evolutions are related to evasion techniques and exfiltration methods.
The number of data breaches is growing at a fast pace and security experts sustain that measures to prevent cyber attacks against systems in the retail industry are still not adequate, for this reason it is important to monitor the evolution of this kind of threats.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.