#Public Sector

Security researchers identify new PoS malware dubbed ‘Punkey’

By  | 

Security Researchers at Trustwave have uncovered a new point-of-sale (PoS) malware threat dubbed ‘Punkey’ during an investigation led by the US Secret Service.

The new malicious program ‘Punkey’ has at least three variants and is very similar to another family of PoS malware known as NewPosThings.

According to Trustwave, Punkey can search for and steal personal details. It has the “rare” ability to update and alter its capabilities remotely.

Payment card information and more than 75 active victims IPs were found as part of the investigation. It still remains unclear how many victims the so-called Punkey POS malware has claimed in total.

Punkey has versions for both 32-bit and 64-bit Windows-based PoS terminals. The malware injects itself into the Windows explorer.exe process and creates registry start-up entries to ensure its persistence. It also drops a file called DLLx64.dll which is the keylogger component.

All payment card details and keystrokes captured by the malware are first encrypted with AES (Advanced Encryption Standard) and are then sent back to a command-and-control (C&C) server.

The Punkey malware also performs keylogging, capturing 200 keystrokes at a time and sending them back to the server.

“The injection and hiding process with Punkey is more advanced than most of the point-of-sale malware that we currently see. In particular, command and control server interaction with the malware is something we don’t see very often,” the Trustwave researchers noted in a blog post.

“The ability to execute arbitrary programs and update the malware is not something typically seen in point-of-sale malware”.