POS threat 'Punkey' allows additional malware download for greater access

Trustwave also found that the Punkey threat family and NewPosThings share the same code base.
Trustwave also found that the Punkey threat family and NewPosThings share the same code base.

Investigation efforts by the U.S. Secret Service and security firm Trustwave have turned up a new point-of-sale (POS) malware threat, dubbed “Punkey,” which shares the same code base as NewPosThings, another malware family targeting payment card terminals.

While Punkey's resemblance to NewPosThings, which was discovered last fall, includes its compatibility with both 32-bit and 64-bit Windows systems as well as its keylogging routines and RAM scraping functions – Trustwave researcher Eric Merritt revealed in a Wednesday blog post that Punkey also deviates from NewPosThings in several ways.

According to Merritt, "Punkey shows more than enough uniqueness to earn a new name, but it is clear that there is heavy development occurring across different versions of a very similar code base." So far, Trustwave has detected three versions of Punkey – two compiled last October and another compiled in January.

Standout qualities of the Punkey POS family were its use of AES encryption with an embedded key, and a “rare feature” that gives it the ability to download additional malware on targeted systems, which could further criminals' reconnaissance efforts or allow them to perform privilege escalation, Merritt wrote.

In a Thursday interview with SCMagazine.com, Karl Sigler, threat intelligence manager at Trustwave, said that the feature could let attackers “download any piece of malware that the criminals want to push down or even [leverage] exploits that can give them a bigger foothold on the organization.”

He added later that, since attackers have backdoor access already with Punkey, use of additional exploits could give saboteurs root access “if the current malware is only being run in a limited user context," for instance. Regarding Punkey's impact, Sigler said that the joint investigation with law enforcement revealed that 75 unique POS terminals may be infected with the malware.

“Since [Punkey is] new, we haven't see it in any of our other investigations,” Sigler noted.  

He advised that organizations should keep their anti-malware solutions updated, as well as make sure their signatures detect this type of POS threat. Trustwave's Merritt also wrote a decryption tool in Ruby (available on Github) and created a Yara signature that detects all versions of Punkey that the firm observed.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS