Skip to main content

Trustwave discovers new family of PoS malware

Only two weeks ago we reported on the underlying vulnerabilities that put point-of-sale systems at risk. Now acting as part of an investigation by the US Secret Service, researchers at security services company Trustwave have identified a new family of PoS malware.

Cyber criminals are already using the malware - which researchers have named "Punkey" in an obscure '80s sitcom reference - to infect businesses. Payment card information and more than 75 active victim IPs were found as part of the investigation.

Trustwave doesn't know the number of businesses that have been infected but its researchers have seen multiple command and control servers and multiple campaigns related to Punkey and it appears that a number of malware authors have been at work on the source code used in the campaigns.

The software hides inside Windows Explorer and scans other processes for card holder data, sending any details found to a server. It periodically checks in with the server to see if there are any updates such as new programs to run or if an update to the malware is needed. The Punkey malware also performs keylogging, capturing 200 keystrokes at a time and sending them back to the server. Thus the attacker can capture usernames, passwords and other important information. All of these functions run continuously and will start up again if the computer is rebooted.

Trustwave notes that, "The injection and hiding process with Punkey is more advanced than most of the point-of-sale malware that we currently see. In particular, command and control server interaction with the malware is something we don't see very often.

"The ability to execute arbitrary programs and update the malware is not something typically seen in point-of-sale malware".

You can read more about the discovery on the Trustwave blog.

Image Credit: Sedlacek / Shutterstock