New POS Malware PinkKite Takes Flight

[LASER_oneXM]

A new family of point-of-sale malware, dubbed PinkKite, has been identified by researchers who say the malware is tiny in size, but can delivered a hefty blow to POS endpoints.

Researchers at Kroll Cyber Security first identified PinkKite in 2017 during a nine-month investigation into a large POS malware campaign that ended in December. The campaign is believed to be the first instance of PinkKite identified, according to researchers Courtney Dayter and Matt Bromiley, who presented their findings at Kaspersky Lab’s Security Analyst Summit on Friday.

PinkKite is less than 6k in size and similar to other small POS malware families such as TinyPOS and AbaddonPOS. Similar to those small-sized malware families, PinkKite uses its tiny footprint to avoid detection and comes equipped with memory-scraping and data validation tools.


“Where PinkKite differs is its built-in persistence mechanisms, hard-coded double-XOR encryption (used on credit card numbers) and backend infrastructure that uses a clearinghouse to exfiltrate data to,” Dayter said.

Criminals behind the PinkKite campaign used three clearinghouses (or depots) located in South Korea, Canada and the Netherlands to send data to. Typically, POS malware sends data directly to a C2 server.