Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

PinkKite POS Malware Is Small but Powerful

A newly discovered piece of malware targeting point-of-sale (POS) systems has a very small size but can do a lot on the infected systems, security researchers reveal.

A newly discovered piece of malware targeting point-of-sale (POS) systems has a very small size but can do a lot on the infected systems, security researchers reveal.

Called PinkKite, the POS malware was observed last year as part of a large campaign that ended in December, but was only detailed last week at Kaspersky Lab’s Security Analyst Summit (SAS). Discovered by researchers at Kroll Cyber Security, the malware is believed to have appeared last year for the first time.

Similar to previously observed POS malware families such as TinyPOS and AbaddonPOS, the new PinkKite has a very small size (it is less than 6kb) and uses its tiny footprint to evade detection. Despite this, however, the malware includes memory-scraping and data validation capabilities.

Furthermore, Courtney Dayter and Matt Bromiley, who detailed the threat at last week’s SAS 2018, reveal that PinkKite uses a hardcoded double-XOR cipher to encrypt credit card numbers. It also features built-in persistence mechanisms, and a backend infrastructure that leverages a clearinghouse to exfiltrate data to (POS malware typically sends data to the command and control (C&C) server).

In fact, the PinkKite operators used three clearinghouses (or depots) that the malware sent data to in the observed campaign. These were located in South Korea, Canada and the Netherlands, the researchers revealed.

The use of clearinghouses likely made the data collection easier and allowed operators to distance themselves from the terminals, but it also made the operation very noisy.

For distribution purposes, the attackers likely infected a system and then moved laterally across the targeted company’s network environment using PsExec. Next, the hackers used Mimikatz to extract credentials from the Local Security Authority Subsystem Service (LSASS), and then connected to the compromised systems to steal credit card data via a Remote Desktop Protocol (RDP) session.

The PinkKite executable, the researchers discovered, attempts to pass as a legitimate Windows program and uses names such as Svchost.exe, Ctfmon.exe and AG.exe for that. Different versions of the malware exist, including a whitelist variant that specifically targets processes in a list, and a blacklist iteration that instead ignores certain processes.

Advertisement. Scroll to continue reading.

After scrapping credit card data from the system memory, PinkKite validates card numbers using a Luhn algorithm. It also employs a double-XOR operation to encode the 16 digits of the credit card number with a predefined key, and stores the data in compressed files that can hold as many as 7,000 credit card numbers each.

Using a separate RDP session, the files are sent to one of the employed clearinghouses. These remote systems collected hundreds or thousands of malware output files, the researchers discovered.

The attackers were stealthy enough to stay under the radar until the targeted organization was alerted on its customers’ credit card data being sold on the black market.

Travis Smith, principal security researcher at Tripwire, told SecurityWeek in an email that, even if this powerful malware family has a little footprint, its size has nothing to do with how it can be detected.

“A change on a static endpoint like a point-of-sale machine will stick out clearly with the proper controls. Application white listing is a quick and very effective way to prevent malware such as PinkKite from being allowed to run on a point-of-sale machine. However, if the adversaries were able to use Mimikatz to steal admin credentials, they could bypass controls such as the built in AppLocker available from Windows. Having layered controls which are designed for both mitigation and detection are key in a successful security architecture,” Smith said.

He also pointed out that the malware’s small size forced it to rely heavily on network communication, which can be prevented and detected.

“Since point-of-sale networks are also fairly static, any communication outside of an established baseline can be considered malicious until proven benign. Utilizing a whitelist set of firewall rules on the point-of-sale network will limit the malware from sending stolen credit cards to adversaries around the world,” Smith concluded.

Related: New PoS Malware Family Discovered

Related: POS Malware Abuses Exposed ElasticSearch Nodes for C&C

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.