Researchers Hack Their Way into Punkey PoS Malware Backend

Share this…

Criminals infected over 200 US businesses with PunkeyPOS. Security researchers from PandaLabs have hacked their way into the administration panel of the PunkeyPOS point-of-sale malware and have discovered an ongoing campaign targeting stores in the US.

PunkeyPOS, or Punkey, is point-of-sale malware that first appeared in April 2015 from an older version of the NewPoSThings PoS malware.

This threat has been relatively quiet, and nothing was heard about it until a recent campaign detected by an unnamed security firm that told reporter Brian Krebs about a possible infection with Punkey on the computers of CiCi’s Pizza, a restaurant chain in the US.

Punkey mostly targets US businesses

PandaLabs didn’t confirm Krebs’ findings that CiCi’s Pizza might be infected but revealed an ongoing Punkey campaign that, according to C&C telemetry data, has been targeting US businesses.

The researchers, who analyzed some of the malware’s samples, managed to reverse-engineer its code and discovered the C&C server’s IP address. Accessing this server, they found a Web-based password-protected administration panel.

“The cyber-criminals behind this attack haven’t been very careful,” the PandaLabs team explained. “Since the server was not configured correctly, PandaLabs was able to access it without credentials.”

Researchers were able to view all the computers infected with Punkey and map out their distribution around the globe using the statistical data collected by Punkey at infection time.

Researchers discovered over 200 infections, most of them in the US. The version number of this Punkey variant is “2016-04-01,” meaning this is a recent campaign.

Punkey works via a keylogger and a memory scraper component

Punkey is designed to target only Windows machines running PoS software. The malware comes with two components: one is a keylogger, and the other is a RAM scraper.

The keylogger records user keystrokes but generally ignores all the data and only collects number sequences that look like credit card details.

The memory scraper is from where Punkey’s authors obtain most of the juicy data. This component constantly reads data that’s currently passing through the PC’s memory and collects anything that looks like Track 1 or Track 2 credit card information, usually while being processed by the PoS software.

This info is later sent to the Punkey C&C server, encrypted using an AES algorithm, and made available to crooks in the Web-based admin panel seen below.

Punkey control panel