PinkKite, a new family of point-of-sale (POS) malware, has been identified by researchers this week. Kroll Cyber Security initially identified PinkKite last year during a nine-month investigation into a major POS malware campaign that ended in December 2017.
As first reported by ThreatPost, the primary researchers Courtney Dayter and Matt Bromiley presented their findings at the Kaspersky Lab Security Analyst Summit in Cancun, Mexico last week.
POS malware is specifically crafted to target POS machines in retail terminals with the goal of stealing credit card information for further use in identity theft, card cloning and putting it up for sale in bulk on the dark web.
PinkKite is said to be tiny in size at under 6K. The researchers likened it to TinyPOS and AbaddonPOS, two other small POS malware families. Like the other two, PinkKate comes equipped with data validation and memory-scraping tools, which along with its small footprint, it uses to help elude detection. The limited size of tiny malware normally means that it has a limited capacity as due to its size, it can only support so many capabilities. However, PinkKite appears to have a much larger set of capabilities than one would expect from its size.
“Where PinkKite differs is its built-in persistence mechanisms, hard-coded double-XOR encryption (used on credit card numbers) and backend infrastructure that uses a clearinghouse to exfiltrate data to,” Dayter said.
The malware appears to be a legitimate Microsoft Windows program, using names like Schovst.exe and AG.exe
Once it has infected a system, the malware moves across a network to deliberately targets its POS systems. It then scrapes credit card data from its system memory and a Luhn algorithm is employed to determine valid credit card numbers. The stolen data is then encrypted and stored in a compressed format before it is sent via Remote Desktop Protocol (RDP) sessions to clearinghouses. Each compressed package can hold up to 7,000 credit card numbers.
The Kroll researchers identified three clearinghouses geographically spread around the world: in Canada, South Korea and the Netherlands. The stolen data is sent to the clearinghouses using a standard command and control (C2) server often employed by PoS malware. The researchers explained their theory as to why the clearinghouses might have been used: “From a malware collection point of view, it was probably easier for adversaries to send data to clearinghouses. It also may have helped them keep a little bit of distance from the POS terminals,” Bromiley said. “But, from an investigative point of view we loved it because it made the operation very noisy.”
Kroll Cyber Security has not said how many credit card numbers might have been stolen using this technique, or where from; nor have they shared any information related to the malware’s creators or operators.