Punkey: New POS malware
The Dell Sonicwall Threats Research team observed reports of a POS bot family named GAV: POS.Punkey.A actively spreading in the wild. Punkey.A malware typically has the capability such as scraping memory to retrieve Credit Card Data during its scan.
The Trojan injects into C:Windowsexplorer.exe and the injector is copied from its drop location to:
The Trojan adds the following key to the Windows registry to ensure persistence upon reboot:
Punkey has versions for both 32-bit and 64-bit Windows-based PoS terminals and in addition to stealing payment card data while it's being processed, it also installs a keylogger to capture what employees type on such systems.
Command and Control (C&C) Traffic
Punkey performs C&C communication over port 80. First, two POST requests are sent to the C&C server.
Using the User-Agent: Example, a GET request is sent to the C&C server:
Now, DLLx64.dll is loaded into memory and any WH_KEYSTROKE message will be intercepted and sent back to this thread. The Keylogger sends the following request:
SonicWALL Gateway AntiVirus provides protection against this threat via the following signature: