Punkey, a new POS Malware in the criminal ecosystem

Posted on

Malware researchers at Trustwave have detected a new point of sale (PoS) malware dubbed Punkey that was used by criminal crews to compromise payment systems of some organisations.

The experts discovered Punkey during a law enforcement investigation and since its discovery the PoS malware was improved in a significant way by its operators and the researchers discovered three different variants of the agent.

Trustwave speculates that different criminal crews used the Punkey for their campaigns tailoring it for specific targets in the retail industry.

Punkey, a new POS Malware in the criminal ecosystem
Punkey, a new POS Malware in the criminal ecosystem

Punkey implements common features of other PoS malware, but experts were surprised by its ability to update and alter its capabilities remotely.

“A second thread has spawned that handles downloading arbitrary payloads from the C&C server, as well as, checking for updates to Punkey itself. This gives Punkey the ability to run additional tools on the system such as executing additional reconnaissance tools or performing privilege escalation. This is a rare feature for POS malware.” reads a blog post published by Trustwave SpiderLabs blog.

The malicious code also implements reconnaissance and hacking abilities.

“This traffic is AES encrypted, base64 encoded, then URL encoded. After reversing the process the data sent looks like this (no, it’s NOT a valid payment card number):”

punkey Pos malware 2

“This is where the naming fun comes into play! The combination of P(OST)unkey and calling the malware author a punk was just too sweet to pass up.” continues the post.

Data transferred by the Punkey PoS malware to C&C servers includes payment card numbers and data collected by the Keylogger module.

In the following table are listed the principal differences in the operation of Punkey versus the other malware variants.

punkey Pos malware 3

Since 2013, POS malware is rapidly evolving, the most interesting evolutions are related to evasion techniques and exfiltration methods.

The number of data breaches is growing at a fast pace and security experts sustain that measures to prevent cyber attacks against systems in the retail industry are still not adequate, for this reason it is important to monitor the evolution of this kind of threats.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s