Punkey Malware Takes Threats To New Level

By Ally Kutz, contributing writer

POS systems are at risk — again — now from “Punkey” malware. This comes with little surprise, considering the many attacks on POS systems within the last year.

Last month, Cisco Systems released a warning about new malware system called PoSeidon, with attacks already taking place at U.S. bars, restaurants, and hotels, and Trustwave released information on Punkey, found during a recent investigation by the U.S. Secret Services.

The malware has at least three variants, with versions of Punkey for both 32-bit and 64-bit Windows-based POS systems. Not only does it steal payment card info while being process, it also installs a keylogger in order to retain what employees type.

“The malware injects itself into the Windows explorer.exe process and creates registry start-up entries to ensure its persistence. It also drops a file called DLLx64.dll which is the keylogger component,” Lucian Constantin, correspondent for IDG News Service, writes for PCWorld.

The malware is also capable of downloading other malware, as well as updates for itself. “This gives Punkey the ability to run additional tools on the system such as executing additional reconnaissance tools or performing privilege escalation,” the Trustwave researchers say. “This is a rare feature for POS malware.”

Trustwave has created a tool to decrypt Punkey traffic, which they’ve published on GitHub. This in turn can help you identifying Punkey traffic on your clients’ networks in and to remove it.