PinkKite point of sale malware spotted in the wild

The point-of-sale malware may be small, but it packs a punch.
Written by Charlie Osborne, Contributing Writer

Researchers have discovered a new family of point-of-sale (PoS) malware which is far more powerful than its small size would have you believe.

As reported by ThreatPost, researchers from Kroll Cyber Security spotted the new malware, dubbed PinkKite, in 2017.

The team presented their findings at the Kaspersky Lab Security Analyst Summit in Cancun, Mexico.

According to Kroll Cyber Security, PinkKite was uncovered during an investigation into a nine-month PoS campaign which ended in December.

PoS malware is specifically designed to target point-of-sale machines including retail terminals in order to steal valuable data such as credit card information for use in card cloning, identity theft, and for sale in bulk in the underground.

In order to avoid detection, PoS malware often comes with a small footprint, but with a limited capacity and size, there is only so many capabilities that can generally be supported.

PinkKite, for example, is less than 6k in size. However, the tiny size of the malicious code belies its power.

PinkKite not only comes equipped with memory scraping tools, but built-in persistence mechanisms, hard-coded encryption, and a backend infrastructure for data exfiltration.

The malware's executable masquerades as a legitimate Microsoft Windows program and uses names such as Svchost.exe and AG.exe.

When a system has been infected -- although the techniques for primary infection have not been disclosed -- the malware moves across a network to PoS systems. Credit card data is then scraped from system memory and a Luhn algorithm is used to valid credit card numbers.

This information is encrypted and stored in a compressed format before being sent through Remote Desktop Protocol (RDP) sessions to clearinghouses.

The clearinghouses, three in number, are based in South Korea, Canada, and the Netherlands. Stolen data is sent to these systems rather than a standard command and control (C2) server often used by PoS malware.

Each compressed package can store up to 7,000 credit card numbers.

According to the researchers, the use of clearinghouses is likely to be a means for the attackers to "keep a little bit of distance from the PoS terminals."

See also: Oracle Micros point-of-sale system vulnerability puts business data at risk

Kroll Cyber Security has not shared any information relating to the malware's creators or operators. There is also no data available on how many credit card numbers may have been stolen, or where from.

In February, Forcepoint researchers found a strain of PoS malware called UDPoS disguises itself as LogMein software to steal data. The malware attempts to smuggle information stolen from terminals out as legitimate DNS traffic.

Top tips to stay safe on public Wi-Fi networks

Previous and related coverage

Editorial standards