A new family of point-of-sale malware is up in the cyberspace, and it goes by the name of PinkKite. This new cybersecurity problem has been spotted in the form of a tiny malware in size which can deliver a big blow to any POS endpoints.
PinkKite is part of a big POS malware campaign that ended in December. After running a malware analysis, we managed to find that this is PinkKite first campaign.
PinkKite is less than 6k in size and similar to TinyPOS and AbaddonPOS malware.
PinkKite uses its tiny size to avoid detection.
PinkKite is different because of its built-in persistence mechanisms, hard-coded double-XOR encryption, and backend infrastructure that uses a clearinghouse to exfiltrate data.
Hackers behind the PinkKite campaign used three clearinghouses located in South Korea, Canada, and the Netherlands to send data to. This method is interesting because most POS malware sends data directly to a C2 server.
New threats being used in new ways every day so we strongly recommend to everyone the install of antivirus for Windows or antivirus for Mac, depending on which version of OS your devices run. If you are a company, please check your network integrity by running various tests like penetration test and ethical hacking tests at least once a year.
PinkKite masquerades itself as a legitimate Windows program with names such as Svchost.exe, Ctfmon.exe, and AG.exe.
Once the credit card data is scraped from system memory, PinkKite uses a Luhn algorithm to validate credit and debit card numbers, and then it adds another layer of obfuscation via a double-XOR operation that encodes the 16 digits of the credit card number with a predefined key.
After this CC data is stored in compressed files with names such as .f64, .n9 or .sha64.
In every such file can be stored 7,000 credit card numbers
At the beginning of their campaign hackers infiltrated one main system and then from there used PsExec to move laterally across the targeted company’s network environment to identify the Local Security Authority Subsystem Service (LSASS) and extracted credentials using Mimikatz.
Once this is done the credit card, data can be extracted via the RDP session.
This is an excellent example of how much damage can be done to an unprotected company.
Remember, to be safe and secured in the cyberspace, use an antivirus for Windows or antivirus for Mac depending on which version of OS your device runs. As for the companies remember that professional cybersecurity firms are offering good cybersecurity packages that can be used to test your company’s network integrity by running various tests like penetration test and ethical hacking tests.