Researchers presented findings on a new strain of point-of-sale malware, dubbed PinkKite, that was spotted by security experts at Kroll Cyber Security.

A new strain of point-of-sale malware, dubbed PinkKite, was spotted by security experts at Kroll Cyber Security.

PinkKite was first discovered in 2017 while the experts were instigating into a large POS malware campaign.

PinkKite is a tiny malware, it is less than 6k in size with a small footprint to make hard its detection. The malware also employs another layer of obfuscation via a double-XOR operation that encodes the 16 digits of the credit card number with a predefined key to make hard the detection. The PoS malware implements classic memory-scraping feature and procedures for data validation.

“Where PinkKite differs is its built-in persistence mechanisms, hard-coded double-XOR encryption (used on credit card numbers) and backend infrastructure that uses a clearinghouse to exfiltrate data to,” explained Courtney Dayter who presented the threat at Kaspersky Lab’s Security Analyst Summit along with Matt Bromiley.

Crooks behind the PinkKite PoS malware campaign used three clearinghouses located in South Korea, Canada. and the Netherlands to receive the stolen data, this choice made the operation very noisy and easy to detect.

The PinkKite executable poses itself as a legitimate Windows program using file names like Svchost.exe, Ctfmon.exe, and AG.exe.

The PinkKite first scrapes a credit card data from the PoS memory, then it uses a Luhn algorithm to validate credit and debit card numbers.

The credit card data is stored in compressed files with names such as .f64, .n9 or .sha64. Each record can contain up to 7,000 credit card numbers, a lot of records are periodically sent manually using a separate Remote Desktop Protocol (RDP) session to one of the three PinkKite clearinghouses.

“Once the data was scraped by PinkKite, it was written to a file on a remote system. These remote ‘collection’ systems served as central collection points (clearinghouses) for hundreds or thousands of malware output files,” Dayter said.

According to Kroll, attackers behind the PoS malware likely compromised one main system and then from there used PsExec for lateral movements inside the target network.

Attackers also used the popular Mimikatz post-exploitation tool to extract credentials from the Local Security Authority Subsystem Service (LSASS), then once systems were compromised, attackers would access it to remove the credit card data via the RDP session.

Pierluigi Paganini

(Security Affairs – cybercrime, PoS malware)

Share this...

Linkedin Reddit Pinterest

Share On