How "PunkeyPOS" steals information from bank cards

Since May, the PandaLabs anti-virus laboratory of Panda Security has been conducting a thorough study of POS-terminals in US restaurants, within the framework of which the so-called PunkeyPOS was discovered - a variant of a malicious program that is able to access data of bank cards. PandaLabs provided this information at the disposal of US law enforcement agencies so that they can take appropriate measures. Let's see what it is and how it works.

PunkeyPOS works in all versions of the Windows operating system. Cyber-criminals' plan: install malware on POS terminals in order to steal such critical information as account numbers, magnetic stripe content on bank cards, etc.
')
PunkeyPOS seems simple:
He installs a keylogger that monitors keystrokes, then he installs a RAM-scraper, which is responsible for reading the memory of all processes running on the system.

Based on the intercepted information, the malware performs a series of operations, which allow to establish what is relevant and what is not. As for keystrokes, PunkeyPOS ignores any information that does not relate to bank card data. Basically, tracks1 / 2 from the process memory, obtained from the RAM-scraper, are of interest. POS terminals read this information from magnetic stripes of bank cards, so criminals can use this data to later clone cards.

After the relevant information has been received, it is encrypted and transmitted to a remote web server, which is also a management and control server (C & C). To prevent the discovery of information about the card in case someone scans the network traffic, it is encrypted before being sent using the AES algorithm.

The address of the management and control (C & C) server can be easily obtained on the basis of a sample of this malicious program by reverse engineering or analyzing their communications. Below is the main page of the control panel, to access it requires a login and password:



Follow the trail to the Digital Pickpocketers

The authors of this attack were not very careful. Since the server was not configured correctly, PandaLabs was able to access it without registration data.

As a result, PandaLabs was able to see how PunkeyPOS transmits the stolen information. In addition to the fact that the control panel provides access to stolen information, cyber-criminals through this panel can re-infect or update current clients (POS-bots).



The version of the analyzed sample PunkeyPOS: “2016-04-01”. If we compare this sample with earlier versions, some of which are from 2014, we can hardly see any difference in how it works:

krebsonsecurity.com/2016/06/slicing-into-a-point-of-sale-botnet
www.trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges —Punkey /

PandaLabs managed to access the PunkeyPOS management console, and set the location of approximately 200 POS terminals that were infected with this malware variant. We can see that almost all the victims are located in the USA:



Considering how easy it is to sell this information on the black market and how convenient it is to infect these POS terminals anonymously via the Internet, we are confident that cyber criminals will increasingly turn to these terminals.