PunkeyPOS Variant Slurping Data from US POS Terminals

Security researchers have spotted a new variant of the PunkeyPOS malware family designed to lift credit card details from victim organizations.

Panda Security’s PandaLabs unit claimed in a blog post that as many as 200 terminals have been affected so far, the vast majority of which are located in the United States.

Thanks to a misconfigured C&C server, the security vendor managed to access it and view a “Bots manager” panel which allows the malware authors to reinfect or update their current list of infected clients.

The malware itself is similar to that publicized in April last year, according to PandaLabs technical director, Luis Corrons.

"That malware [from] April 2015 was from the same family. This is a new version made in April 2016, but from a functionality level the malware behaves in the same way,” he told Infosecurity by email.

“Funnily enough, we found this one by accident: we were investigating a different case involving hundreds of restaurants, bars, etc. attacked by POS malware (not related to PunkeyPOS) and one of those POS was also infected with this one.”

In terms of functionality, the malware includes a keylogger responsible for monitoring keystrokes and a RAM scraper designed to read the memory of processors running on the system.

PunkeyPOS will decide which data is relevant and ignore anything that isn’t card data, which is read from the magnetic stripe and sold to fraudsters who can use it to clone cards for use at a later date.

“Once the relevant information has been obtained, it is encrypted and forwarded to a remote web server which is also the command and control (C&C) server,” Panda Security explained.

“In order to avoid the detection of the card information in case somebody is scanning the network traffic, it is encrypted before it is sent using the AES algorithm.”

The oddly titled malware is named after 80s US sitcom Punky Brewster.

What’s Hot on Infosecurity Magazine?