A new family of point-of-sale malware called “PinkKite” uses a unique method to exfiltrate consumers’ stolen payment card information.
Kroll Inc. researchers Matt Bromiley and Courtney Dayter presented on the threat during Kaspersky’s Security Analyst Summit 2018 on 9 March.
In their talk entitled “It’s a Small World After All: The Evolution of Small POS RAM Scrapers,” the researchers noted that PinkKite is similar to AbaddonPOS and other POS malware in that it uses its small size to avoid detection. But the baddy, which comes with memory-scraping and data validation techniques, stands out in several key respects.
Perhaps the biggest difference has to do with how it exfiltrates victims’ stolen payment card data. It doesn’t use a command-and-control (C&C) server like other threats. Instead PinkKite sends the information to three clearinghouses located in South Korea, the Netherlands, and Canada.
Bromiley explained during the talk that this feature helped ease the difficulty of detecting and analyzing the malware. As quoted by Threatpost:
From a malware collection point of view, it was probably easier for adversaries to send data to clearinghouses. It also may have helped them keep a little bit of distance from the POS terminals. But, from an investigative point of view we loved it because it made the operation very noisy.
PinkKite also stands out for its use of hard-coded double-XOR encryption on credit card details it scrapes from memory as another method to evade detection. It then takes that obfuscated information, stores it along with as many as several thousand other credit card records in compressed files, and writes the files onto one of the three clearinghouse remote systems.
Bromiley and Dayter first learned of the threat from a client when it told them in 2017 that someone was selling its customers’ payment card details on the black market. From their follow-up investigation, the researchers discovered that the malware was storing Track II magnetic stripe data in memory but was also capturing transactions that were sometimes years old. PinkKite pulled off this feat because the affected POS server ran an SQL database that upon boot-up loaded two separate tables containing historical track data into memory, where it then scraped all that information.
In their presentation for Kaspersky’s summit, Kroll’s experts did not provide many details about the attackers behind PinkKite, a name they came up with using random naming conventions.
The ongoing emergence of threats like PinkKite highlights the need for retailers and other organizations to strengthen the security of their POS infrastructure. For information on how Tripwire can help, click here.