Researchers at Kroll Cyber Security have identified a new point of sale (POS) malware dubbed PinkKite that has a tiny footprint of just 6K to avoid detection, similar to other POS malware families TinyPOS and AbaddonPOS.
The researchers investigated the POS malware campaign over a nine-month period in 2017 that ended last December.
PinkKite includes tools used to scrape credit card data from system memory, then validate the payment card numbers via a Luhn algorithm.
The malware further uses a hard-coded double-XOR operation to add a layer of obfuscation that encodes the numbers with a predefined key. The compressed files can store as many as 7,000 payment card numbers and are then sent to one of three “collection” systems used as clearinghouses, according to Threatpost report.
To further hide from detection, PinkKite also attempts to masquerade as legitimate Windows programs such as Svchost.exe, Ctfmon.exe and AG.exe. At least two families of the malware were identified – a whitelist version that specifically targets certain processes, as well as a blacklist version that ignores other processes.