Punkey POS Malware Sets Sights on More Retailers

Written by

Researchers involved in a US Secret Service investigation have found a potentially prolific piece of advanced POS malware which could come from the same code base as the previously discovered NewPosThings family.

Trustwave revealed details of its findings in a blog post today. The report comes as part of an active law enforcement investigation which uncovered the malware on a server.

Compromised payment card information and over 75 active victim IP addresses were also found, with multiple command and control (C&C) servers connected to the campaign.

The so-called ‘Punkey’ malware – named after 80s US sitcom Punky Brewster – hides in the Windows OS explorer process, scanning other processes on an infected machine for card data, which it then sends out to a remote server.

Unusually for POS malware, it periodically checks in with the C&C server to see if there are any updates to its own code or new programs to execute, the firm said.

It also includes a keylogger designed to collect 200 characters at a time before encrypting and sending the data to a C&C server, allowing attackers to capture any usernames, passwords and other important information that might help them.

While 75 victim IP addresses were discovered, Trustwave isn’t sure how many businesses have been infected so far.

“Each IP address is not necessarily its own business. It just means that 75 copies of the malware were actively checking in,” vice president of security research, Ziv Mador, told Infosecurity.

“This was the only definitive number we have, but it does not mean that Punkey was limited to these 75 infections.”

What is notable about the malware is that it’s arguably more sophisticated than NewPosThings.

“While the two families of malware share some tactics, Punkey goes to greater lengths to hide in the system,” Mador explained.

“By injecting into a legitimate process it makes it much more difficult for the average user to notice it running on the system. Punkey also encodes the malicious binary on disk to appear more innocuous to anyone looking at it.”

NewPosThings was first reported by Arbor Networks in September 2014, having been in development since October the previous year.

Trend Micro then picked up the story earlier this month with a post detailing new developments in the malware family, namely versions for 64-bit and higher. 

What’s hot on Infosecurity Magazine?