Yet Another POS Malware Strain Discovered

Last week, this blog reported on a dangerous strain of malware, known as PoSeidon that is targeting the POS systems of small retailers including bars and restaurants. A recent report issued by security firm Trustwave indicates that yet another malware variant specifically targeting POS systems has been spotted in the wild. This malware, known as Punkey, appears to have evolved from the recently discovered “NewPOSthings” family of malware first discovered by researchers from Arbor Networks. While the discovery of Punkey is the topic of this article, it’s worth pointing out that TrendMicro recently detailed the discovery of multiple malware strains based on the NewPOSthings source code.

This suggests that multiple groups of hackers could be developing targeted campaigns based on the same or similar source code. Punkey was discovered during a recent law enforcement investigation but since that time, the hackers behind this malware variant have improved the threat in many ways. In fact, there are three different iterations of the malware actively being used in attacks – each variant has been tailored for specific targets within the retail industry. Like some of the other POS specific malware variants recently discovered (such as PoSeidon), Punkey implements many similar features; however, researchers were surprised to learn that Punkey exhibits the unique ability to update and alter many of its capabilities remotely. According to a blog post by Trustwave: “A second thread has spawned that handles downloading arbitrary payloads from the C&C server, as well as, checking for updates to Punkey itself".

This gives Punkey the ability to run additional tools on the system such as executing additional reconnaissance tools or performing privilege escalation. This is a rare feature for POS malware.

Data transferred from Punkey to the C&C servers include payment card numbers and other relevant data as collected by the built-in key logger module. Some of the differences that make Punkey more difficult to detect compared with other POS malware variants include the use of AES encryption (most POS variants use RSA), the location of the copy folder (makes it more difficult for antivirus software to locate the malware), and the ability to inject malicious code directly into processes while the PC is operating.

another pos malware strain - punkey

The changes to Punkey that make it so dangerous are just the beginning of a growing concern over the safety of POS systems around the country. Security experts assert that the measures the protect POS systems from cyberattacks are not adequate and represent a growing threat as hackers continually look for new ways to extract financial information from businesses without detection.

Like PoSeidon and other POS malware variants, there is little the consumer can do to protect their information from falling into the hands of hackers as a result of these tools.

Constantly checking financial statements and immediately reporting and suspicious activity is the single best way to mitigate and financial losses that could occur as a result of visiting a retailer with an infected POS systems.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk logo

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal