Last week, this blog reported on a dangerous strain of malware, known as PoSeidon that is targeting the POS systems of small retailers including bars and restaurants. A recent report issued by security firm Trustwave indicates that yet another malware variant specifically targeting POS systems has been spotted in the wild. This malware, known as Punkey, appears to have evolved from the recently discovered “NewPOSthings” family of malware first discovered by researchers from Arbor Networks. While the discovery of Punkey is the topic of this article, it’s worth pointing out that TrendMicro recently detailed the discovery of multiple malware strains based on the NewPOSthings source code.
This suggests that multiple groups of hackers could be developing targeted campaigns based on the same or similar source code. Punkey was discovered during a recent law enforcement investigation but since that time, the hackers behind this malware variant have improved the threat in many ways. In fact, there are three different iterations of the malware actively being used in attacks – each variant has been tailored for specific targets within the retail industry. Like some of the other POS specific malware variants recently discovered (such as PoSeidon), Punkey implements many similar features; however, researchers were surprised to learn that Punkey exhibits the unique ability to update and alter many of its capabilities remotely. According to a blog post by Trustwave: “A second thread has spawned that handles downloading arbitrary payloads from the C&C server, as well as, checking for updates to Punkey itself".
This gives Punkey the ability to run additional tools on the system such as executing additional reconnaissance tools or performing privilege escalation. This is a rare feature for POS malware.
Data transferred from Punkey to the C&C servers include payment card numbers and other relevant data as collected by the built-in key logger module. Some of the differences that make Punkey more difficult to detect compared with other POS malware variants include the use of AES encryption (most POS variants use RSA), the location of the copy folder (makes it more difficult for antivirus software to locate the malware), and the ability to inject malicious code directly into processes while the PC is operating.
The changes to Punkey that make it so dangerous are just the beginning of a growing concern over the safety of POS systems around the country. Security experts assert that the measures the protect POS systems from cyberattacks are not adequate and represent a growing threat as hackers continually look for new ways to extract financial information from businesses without detection.
Like PoSeidon and other POS malware variants, there is little the consumer can do to protect their information from falling into the hands of hackers as a result of these tools.
Constantly checking financial statements and immediately reporting and suspicious activity is the single best way to mitigate and financial losses that could occur as a result of visiting a retailer with an infected POS systems.