A new family of point-of-sale malware called “PinkKite” uses a unique method to exfiltrate consumers’ stolen payment card information.

Bromiley and Dayter presenting on PinkKite at Kaspersky’s Security Analyst Summit. (Source: Threatpost)

Kroll Inc. researchers Matt Bromiley and Courtney Dayter presented on the threat during Kaspersky’s Security Analyst Summit 2018 on 9 March.

In their talk entitled “It’s a Small World After All: The Evolution of Small POS RAM Scrapers,” the researchers noted that PinkKite is similar to AbaddonPOS and other POS malware in that it uses its small size to avoid detection. But the baddy, which comes with memory-scraping and data validation techniques, stands out in several key respects.

Perhaps the biggest difference has to do with how it exfiltrates victims’ stolen payment card data. It doesn’t use a command-and-control (C&C) server like other threats. Instead PinkKite sends the information to three clearinghouses located in South Korea, the Netherlands, and Canada.

Bromiley explained during the talk that this feature helped ease the difficulty of detecting and analyzing the malware. As quoted by Threatpost:

From a malware collection point of view, it was probably easier for adversaries to send data to clearinghouses. It also may have helped them keep a little bit of distance from the POS terminals. But, from an investigative point of view we loved it because it made the operation very noisy.

PinkKite also stands out for its use of hard-coded double-XOR encryption on credit card details it scrapes from memory as another method to evade detection. It then takes that obfuscated information, stores it along with as many as several thousand other credit card records in compressed files, and writes the files onto one of the three clearinghouse remote systems.

Bromiley and Dayter first learned of the threat from a client when it told (Read more...)