Punkey: New POS malware

May 1, 2015

The Dell Sonicwall Threats Research team observed reports of a POS bot family named GAV: POS.Punkey.A actively spreading in the wild. Punkey.A malware typically has the capability such as scraping memory to retrieve Credit Card Data during its scan.

Infection Cycle:

The Trojan injects into C:Windowsexplorer.exe and the injector is copied from its drop location to:

  • %AppDataLocaljuschedjusched.exe [Detected as GAV: POS.Punkey.A (Trojan)]]

    • The Trojan adds the following key to the Windows registry to ensure persistence upon reboot:

  • HKCUSoftwareMicrosoftWindowsCurrentVersionRun = %USERPROFILE%Local SettingsApplication Datajuschedjusched.exe

    • Punkey has versions for both 32-bit and 64-bit Windows-based PoS terminals and in addition to stealing payment card data while it's being processed, it also installs a keylogger to capture what employees type on such systems.

  • %AdminAppDataLocaljuschedDllx64.dll [Detected as GAV: KeyLogger.O_2(Trojan)]

    • Command and Control (C&C) Traffic

    Punkey performs C&C communication over port 80. First, two POST requests are sent to the C&C server.

    Using the User-Agent: Example, a GET request is sent to the C&C server:

    Now, DLLx64.dll is loaded into memory and any WH_KEYSTROKE message will be intercepted and sent back to this thread. The Keylogger sends the following request:

    SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

    • GAV:POS.Punkey.A
    • GAV:POS.Punkey.A_2
    • GAV:KeyLogger.O_2