Malware researchers at Trustwave have detected a new point of sale (PoS) malware dubbed Punkey that was used by criminal crews to compromise payment systems of some organisations.
The experts discovered Punkey during a law enforcement investigation and since its discovery the PoS malware was improved in a significant way by its operators and the researchers discovered three different variants of the agent.
Trustwave speculates that different criminal crews used the Punkey for their campaigns tailoring it for specific targets in the retail industry.
Punkey implements common features of other PoS malware, but experts were surprised by its ability to update and alter its capabilities remotely.
“A second thread has spawned that handles downloading arbitrary payloads from the C&C server, as well as, checking for updates to Punkey itself. This gives Punkey the ability to run additional tools on the system such as executing additional reconnaissance tools or performing privilege escalation. This is a rare feature for POS malware.” reads a blog post published by Trustwave SpiderLabs blog.
The malicious code also implements reconnaissance and hacking abilities.
“This traffic is AES encrypted, base64 encoded, then URL encoded. After reversing the process the data sent looks like this (no, it’s NOT a valid payment card number):”
“This is where the naming fun comes into play! The combination of P(OST)unkey and calling the malware author a punk was just too sweet to pass up.” continues the post.
Data transferred by the Punkey PoS malware to C&C servers includes payment card numbers and data collected by the Keylogger module.
In the following table are listed the principal differences in the operation of Punkey versus the other malware variants.
Since 2013, POS malware is rapidly evolving, the most interesting evolutions are related to evasion techniques and exfiltration methods.
The number of data breaches is growing at a fast pace and security experts sustain that measures to prevent cyber attacks against systems in the retail industry are still not adequate, for this reason it is important to monitor the evolution of this kind of threats.