Hackers using tiny malware PinkKite to steal credentials from POS machines

News by Jay Jay

Point-of-Sale endpoints used by enterprises are now facing a new threat- PinkKite - a tiny malware less than 6k in size, with memory-scraping and data validation tools, able to steal a large number of credentials and credit card data.

Point-of-Sale endpoints used by enterprises are now facing a new threat- a tiny malware less than 6k in size, featuring memory-scraping and data validation tools, and with the capability of stealing a large number of credentials and credit card data.

At Kaspersky Lab's Security Analyst Summit on Friday, security researchers from Kroll Cyber Security revealed the arrival of a new POS malware that is among the smallest malware in the world, yet among the most powerful affecting POS endpoints.

"The malware was installed on September 9, 2017 and the first evidence at all of unauthorised attacker activity in the environment was a week earlier on September 2, 2017. The attackers used a software deployment system within the corporate environment as a pivot point to access restaurant locations, and subsequently uploaded RAM scraping malware to capture magnetic stripe cardholder information during the transaction process," they said.

According to the researchers, this new malware, dubbed PinkKite, is just 6k in size and exploits its tiny footprint to avoid detection by anti-malware systems. Once it infiltrates a Point-of-Sale system, it proceeds to steal credentials stored in the system and sends the information over to clearinghouses, unlike other malware that send stolen data to remote servers.

They added that cyber-criminals using PinkKite used three clearinghouses last year that were located in South Korea, Canada, and the Netherlands. Matt Bromiley, one of the Kroll researchers, said that this was probably done to help them keep a little bit of distance from the POS terminals.

As described by the researchers, PinkKite can masquerade as a legitimate Windows program by using executable names such as Svchost.exe, Ctfmon.exe and AG.exe, thereby escaping the attention of malware detection systems. Once it finds its way into a POS network, it steals all available credit card numbers and other credentials and then validates such numbers by using a Luhn algorithm. 

Once this is done, it encodes the 16 digits of the credit card number with a predefined key using a double-XOR operation, thereby adding another layer of obfuscation to preempt any analysis or detection. Stolen data is then tansferred to compressed files with names such as .f64, .n9 or .sha64 which are, in turn, sent manually using a separate Remote Desktop Protocol (RDP) session to a clearinghouse.

"The interesting thing about this malware is that the behaviour of the malware was minimalised to shrink the size of the file; it scrapped memory, checked for cards numbers and exfiltrated the data. The resources on POS devices are scarce so an additional file has a better chance of not disrupting normal operations if it impact is marginal," said Andy Norton, director of threat intelligence at Lastline in an email to SC Media UK.

"However, I don't think the 6k size is beneficial to the threat actors to avoid detection; by the time the POS malware was placed in the system, the attackers were already on the inside. This shows a blind spot in security defences that organisations cannot easily connect North to South moving infections with East to West moving intrusions. 

"The level of ease for this malware to spread depends on the structure and level of security designed into the network. Of course, once attackers have defeated and have access to credentials, they would be able to place malware on all systems. The ramifications of POS breaches in the past have been enormous and will only get bigger with the onset of EU privacy laws only two months away," he added.

Ryan Wilk, vice president at NuData Security Inc, told SC Media UK that organisations can stop this latest barrage of POS malware attacks by continuous monitoring and by making sure that all patches are up to date. At the same time, implementation of multi-layered security solutions that don't rely on static data such as credit card numbers, passwords or security questions by e-commerce firms can also help protect customers from credit card fraud once hackers have gained access to their card numbers.

Travis Smith, principal security researcher at Tripwire, said that the size of malware has little to do with how it can be detected as a change on a static endpoint like a point of sale machine will stick out clearly with the proper controls.

"Application whitelisting is a quick and very effective way to prevent malware such as PinkKite from being allowed to run on a point of sale machine. However, if the adversaries were able to use Mimikatz to steal admin credentials, they could bypass controls such as the built-in AppLocker available from Windows. Having layered controls which are designed for both mitigation and detection are key in a successful security architecture," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews