ENSILO BLOG

enSilo Blocks PinkKite Point of Sale Malware

Summary

Generally speaking, when talking about point of sale (POS) malware we are referring to a type of variant which target’s POS terminals in order to collect payment card information. It does so by harvesting data tracks from the memory of the software used to process them.

Recently, researchers from Kroll cyber security identified a new variant they dubbed, PinkKite, which is believed to be the successor of “AbaddonPOS, A malware which traces back to 2015.

The following analysis is based on few samples we discovered and believe to be part of the PinkKite/AbaddonPOS malware.

Schedule a Demo

 See how enSilo can protect and block malware- Schedule a demo today

Stealthy-ness Over Quantity

Apparently Pinkkite authors prefer stealthy-ness over quantity as they programmed the malware to kill itself after 12 hours. Another clue for supporting this is the fact that Pinkkite does not use any method for persisting itself on the infected machine. In addition, PinkKite is somewhat “low” on fat as it doesn’t feature any capabilities, except memory scraping.

PinkKite1

Process Iteration

The malware uses a list made out of­ known process names that gets ignored in the iteration in order to save execution time. The following is the blacklisted process names:

  • cmd.ex
  • conhos
  • dllhos
  • Explor
  • Issas.
  • mmc.ex
  • dwm.ex
  • csrs.e
  • winlog
  • clamsc
  • regsvr
  • mobsyn
  • rundll
  • runonc
  • spools
  • svchos
  • taskho
  • winwor
  • system
  • winini
  • smss.e
  • lsm.ex
  • csrss.
  • search
  • notepa
  • taskmg
  • avp.ex
  • oladdi

 

In an earlier version, also in conjunction with the AbadonPOS, the authors were using a white-list for known POS process-names, as well as a database server process-names, but for some reason they decided to drop it in the latest version.

  • active
  • mercur
  • ocius4
  • rs232m
  • sdpdvk
  • unilec
  • focus8
  • ehubem
  • fdfdo.
  • cashbo
  • cps.bo
  • powerp
  • saleso
  • finedi
  • pointo
  • infigm
  • adrm.e
  • adfr.38
  • aldelo
  • araavl
  • bestpo
  • bosrv.
  • cardau
  • cashcl
  • checki
  • cre200
  • crosss
  • cxsret
  • ddcdsr
  • dovepo
  • dsihea
  • eagles
  • electr
  • fincha
  • invent
  • isspos
  • issret
  • magtek
  • nails1
  • omnipo
  • paymen
  • pixela
  • pos24f
  • posini
  • prm.cl
  • ptserv 
  • qbdbmg
  • qbpos.
  • qbposs.
  • retail
  • rmposl
  • roomke
  • rpro8.
  • rwpos.
  • sales3
  • soposu
  • spaint
  • telefl
  • transa
  • utg2sv
  • visual
  • wickr.
  • xcharg
  • xchrgs
  • resdbs
  • dbsrv1
  • ccs.ex
  • pos_sr
  • edcsvr
  • sqlser
  • e7.exe
  • gaspos
  • pos.ex
  • wc_cor
  • chirot
  • sqlbro

 

The Memory Scrapper

Following a successful read from a process’s memory the malware tries to identify the patterns Picture2.1pngbelonging to track 1 and track 2 of a credit card. Where as Track 1 should contains alpha-numeric data such as –

B42176421882 50286^DOE/JOHN ^10111018031155200000

And Track 2, will contain the critical data which is verified by the POS machine and appears as the following –

4012312312312323=1011101803115 5200000

Generally, credit card track data starts with these numbers- (‘3’ / ‘4’ / ‘5’ / ‘6’), followed by a second character of ‘0’.

PinkKite2-1

 

 

 

 

 

C&C Communication

After reading the process memory and copying it. 

The encryption takes place as a double XOR computation over the tracks that are about to be sent and the encryption loop uses a hard coded value as seen in the following code snippet.

 

Picture3

We reproduced in our lab an environment identical to a setup of a POS station with enSilo's collector installed.  As we can see in the next image, the collector identifies suspicious activity and blocks the communication to the C&C server successfully and prevents exfiltration of data outside of the organization.

Picture4-1

IOCs:

As we can see from the following table the bot is still under active development.

Binary hash Compilation Date
e4d6202502f8d6025e44b269e1d871dbc92fbddad19bc42a72e171f42b933102 Wed Mar 28 01:24:03 2018
3e3a925154c62c2516f435f61be6cfb1fdbc9635c26452a6c7643201b83f6852 Tue Mar 20 18:13:04 2018
378d2a589286fde9cf5fe06975abfd2a0846c67fb297b3b184c4a3845fefb53f Tue Feb 27 21:32:14 2018
4120abd063f91386e895b78068c60595ab7a74de58b44884e59b61610accbed4 Thu Apr 06 03:19:23 2017
f9f75c038142cdb6cecf3a81f80ac07f54b1dd85b1d9532b056f6ebe87a04df2 Wed Sep 06 17:14:36 2017
7cfc340ed0bd2af138c4b2b85c19693755a9c9ea798028d1a17d0cfcc61b5a3a Thu Nov 05 03:29:56 2015
   

 

C&C Servers:

  • 165.16.165
  • 210.36.112
  • 165.16.199

Schedule a Demo

See how enSilo can protect and block malware- Schedule a demo today

 

SANS review of ensilo

CATEGORIES

FEATURED ARTICLES

tag cloud