CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Q&A: A New Point-of-Sale Malware Family Named Punkey

In conjunction with a U.S. Secret Service investigation, Trustwave SpiderLabs researchers have unearthed a new family of point-of-sale (POS) malware.

POS malware is a sinister and often difficult-to-detect threat that preys on retailers running Windows-based payment terminals. This menace has been around for many years, but has now become the preferred fraud method by which cybercriminals fleece retailers of huge amounts of payment card data. The newly discovered POS malware family is called Punkey - a name inspired by a combination of the code's functionality and the 1980s sitcom "Punky Brewster".

We asked Trustwave Threat Intelligence Manager Karl Sigler to help us better understand the malware's capabilities and steps organizations can take to detect and prevent it and similar threats.


Q:  What is Punkey and how does it make it onto POS systems in the first place?

A: Punkey is a family of POS malware that infects point-of-sale systems to steal payment card information. Typically Punkey would be installed by exploiting easy-to-crack passwords used for remote access software on the POS systems or through cashiers using the POS system to browse malicious websites or open phishing emails.


Q: Once the malware has infected a POS system, like a credit card reader or cash register, what does it do? How does it steal card numbers?

A: Once installed, Punkey hides itself as a part of Explorer, one of Windows primary processes. Like a lot of POS malware, Punkey uses memory scraping to grab credit card data and keylogging to capture anything typed into the infected system. The stolen data is then sent back to a command-and-control (C&C) server to be collected by the criminals.


Q: How difficult is it to detect/remove Punkey?

A: Punkey is not hard to remove once you know what to look for. Now that we've been able to analyze the malware and make our findings public, organizations should be able to use standard anti-malware solutions to detect and remove Punkey. Our research team has also published specific indicators, such as the files used by the malware as well as network traffic samples that security teams can use to discover and eradicate Punkey from their systems.


Q: How widespread is Punkey?

Not horribly widespread yet. It's pretty targeted. The C&C instance we investigated had 75 instances of Punkey reporting to it, so that means around 75 infected POS systems most likely. 


Q: In terms of its functionality, how does it compare to previously discovered POS malware?

A: Punkey is a bit more advanced than most of your typical POS malware. Most POS malware doesn't bother to hide itself using similar injection and encryption techniques. Punkey also maintains regular communication with a C&C server, not just to upload stolen payment card data, but also to download updated versions of itself and any additional malware the criminals behind it may decide to use.


Q: Why has POS malware seemingly become such a big threat over the past 12 to 18 months, and is there any slowing it down?

A: Criminals follow the money, and infecting a POS terminal that might swipe thousands of payment cards is a very lucrative avenue for them. Hopefully protections being put in place like chip-and-PIN- based cards and point-to-point encryption will force criminals to look elsewhere.


Q: What can organizations, like retailers, do to protect themselves from this threat and others like it?

A: Organizations - or their security partner, such as a managed security services provider - should run updated anti-virus and intrusion detection system solutions, as well as monitor their networks for anomalous traffic. Organizations should also educate their employees to follow best security practices, such as only using POS systems for what they are intended for and not to browse the web, check email, play video games, etc. For POS systems that use remote access control technology, organizations should ensure that the software is kept up to date and can be accessed only by strong passwords or two-factor authentication.


Q: And finally, why is it called "Punkey"?

A: The malware uses a variable called 'unkey' to send the data to the C&C server, and the data is sent using an 'HTTP POST' command. So Punkey is a portmanteau of 'POST' and 'UNKEY': P(ost)unkey, or Punkey. And that's a name that might ring a bell.

For more information about combating point-of-sale attacks, check out this blog or download this white paper from SpiderLabs. In addition, if you'll be at the RSA Conference 2015 in San Francisco, Trustwave Vice President of Managed Security Testing Charles Henderson is scheduled to present on the topic of POS malware.

Latest Trustwave Blogs

The Power of Red and Purple Team Drills in Enhancing Offensive Security Programs

Despite investing in costly security solutions, keeping up with patches, and educating employees about suspicious emails, breaches still occur, leaving many organizations to wonder why they are...

Read More

Balancing Innovation and Security: How Offensive Security Can Help Navigate the Tech Industry’s Dual Challenges

Two of the greatest threats facing technology-focused organizations are their often-quick adoption of new technologies, such as artificial intelligence (AI), without taking security measures into...

Read More

Trustwave Government Solutions (TGS) Salutes New Mexico’s New Cybersecurity Executive Order

New Mexico Governor Michelle Lujan Grisham issued an Executive Order to shore up the state’s cybersecurity readiness and better safeguard sensitive data by conducting a state-wide security assessment...

Read More