www.trustwave.com Open in urlscan Pro
52.151.96.240  Public Scan

Form analysis
4 forms found in the DOM

<form><span class="fieldset">
    <p><input type="checkbox" value="check" id="chkMain" checked="" class="legacy-group-status optanon-status-checkbox"><label for="chkMain">Active</label></p>
  </span></form>

GET /en-us/search/

<form method="get" target="_self" action="/en-us/search/">
  <div class="mb-7">
    <input type="text" class="form-control" id="q" name="q" placeholder="Search trustwave.com">
  </div>
</form>

GET https://www2.trustwave.com/Subscription-Center-Subscribe.html

<form method="get" target="_blank" action="https://www2.trustwave.com/Subscription-Center-Subscribe.html">
  <div class="row g-7">
    <div class="col-md-6 col-lg-7">
      <input type="text" class="form-control" name="Email" placeholder="Email Address">
    </div>
    <div class="col-md-6 col-lg-5">
      <button class="btn btn-primary w-100" type="submit">Subscribe</button>
    </div>
  </div>
</form>

<form></form>

Text Content

Cookie Notice

We use cookies to provide you a relevant user experience, analyze our traffic,
and provide social media features. Privacy Policy


Close
GOT IT


 * Your Privacy

 * Strictly Necessary Cookies

 * Performance Cookies

 * Functional Cookies

 * Targeting Cookies

 * Privacy Policy

Privacy Preference Centre

Active

Always Active



Save Settings

Allow All

 * Services
   Services
    * 
      Managed Detection & Response Eradicate cyberthreats with world-class intel
      and expertise
    * 
      Managed Security Services Expand your team’s capabilities and strengthen
      your security posture
    * 
      Consulting & Professional Services Tap into our global team of tenured
      cybersecurity specialists
    * 
      Penetration Testing Subscription- or project-based testing, delivered by
      global experts
    * 
      Database Security Get ahead of database risk, protect data and exceed
      compliance requirements
    * 
      Email Security Catch email threats others miss and prevent data loss
   
   View All Trustwave Services
 * Solutions
   Solutions
   
   BY INDUSTRY
   
    * Education
    * Financial Sector
    * Government
    * Healthcare
    * Hotels
    * Legal
    * Payment Services
    * Restaurants
    * Retail
   
   BY REGULATION
   
    * Data Privacy
    * CMMC
    * FISMA
    * GDPR
    * GLBA
    * HIPAA
    * ISO
    * PCI
    * SOX
   
   BY TOPIC
   
    * Microsoft Exchange Server Attacks Stay protected against emerging threats
    * Rapidly Secure New Environments Security for rapid response situations
    * Securing the Cloud Safely navigate and stay protected
    * Securing the IoT Landscape Test, monitor and secure network objects

 * Why Trustwave
   Why Trustwave
    * The Trustwave Approach A focus on threat detection and response
    * Trustwave SpiderLabs Team Researchers, ethical hackers and responders
    * Trustwave Fusion Platform Unprecedented security visibility and control
    * SpiderLabs Fusion Center Our cybersecurity command center
    * Security Operations Centers Distributed worldwide defense nodes

 * Partners
   Partners
    * Technology Alliance Partners Key alliances who align and support our
      ecosystem of security offerings
   
    * Trustwave PartnerOne Program Join forces with Trustwave to protect against
      the most advance cybersecurity threats
    * Register
      Login

 * Resources
   Resources
   
   BLOGS
   
    * Trustwave Blog
    * SpiderLabs Blog
   
   UPCOMING
   
    * Webinars
    * Events
   
   MEDIA & ASSETS
   
    * Document Library
    * Video Library
    * Analyst Reports
    * Webinar Replays
    * Case Studies
    * Trials & Evaluations
   
   NOTICES
   
    * Security Advisories
    * Software Updates
   
   HELP
   
    * Contact
    * Support

 * Login
   Login
   Fusion Platform Login
   What is the Trustwave Fusion Platform?
    * MailMarshal SEG Login
    * Legacy TrustKeeper Login

 * Incident Response
   Incident Response
   
   EXPERIENCING A SECURITY BREACH?
   
   Get access to immediate incident response assistance.
   
   24 HOUR HOTLINES
   
    * AMERICAS
      
      +1 855 438 4305
   
    * EMEA
      
      +44 8081687370
   
    * AUSTRALIA
      
      +61 1300901211
   
    * SINGAPORE
      
      +65 68175019
   
   Recommended Actions

Loading...

BLOGS & STORIES


SPIDERLABS BLOG

Attracting more than a half-million annual readers, this is the security
community's go-to destination for technical breakdowns of the latest threats,
critical vulnerability disclosures and cutting-edge research.


NEW POS MALWARE EMERGES - PUNKEY

access_timeApril 15, 2015
person_outlineEric Merritt
share
 * 
 * 
 * 

During a recent United States Secret Service investigation, Trustwave
encountered a new family of POS malware, that we named Punkey. It appears to
have evolved from the NewPOSthings family of malware first discovered by Dennis
Schwarz and Dave Loftus at Arbor Networks. While this malware shares some
commonalities with that family, it departs from the standard operating procedure
of the previous versions rather dramatically. In a blog post, TrendMicro also
detailed recently compiled versions of the NewPOSthings family that bear a
closer resemblance to NewPOSthings than Punkey. This suggests that multiple
actors may be using similar source code, or the malware is being customized as a
service for targeted campaigns. Because of the active investigation, I cannot
reveal C&C domains used in the samples.

For the uninitiated (or those not old enough to remember), the name is a play on
the 80's sitcom Punky Brewster.

PUNKEY

VERSIONS

Punkey self-identifies its version. Three unique versions have been discovered:



The difference between versions 18 and 19 is C&C information, and 18 and 19 are
the primary versions described in this blog. The 2015 version slightly alters
how the version is reported to the C&C server and will be discussed in the
appropriate section below. Unless specifically noted, the description of the
malware's operations should be assumed to be the same across all three versions.

OVERVIEW

Since a picture is worth a thousand words, and I'm going to use about 2,000
words to describe it--does that make this blog post worth three thousand words?



INJECTOR

The first stage of Punkey is an injector that contains an obfuscated binary that
is decoded to inject into another process. The injector gets a handle to the
explorer process, performs the necessary functions to inject a binary into
another process and writes the file into its process space. If the "-s" argument
was not provided at startup, GetModuleFileName is used to get the path to the
current malware, and it is added to the injected process. The injected process
is then launched using CreateRemoteThread and the injector exits.

STARTUP

When the thread executes (stage 2), the process checks to see whether a path was
provided to it by the injector (remember that "-s" argument? No? We just talked
about it? Come on people, keep up…). If a path is provided, the malware executes
its setup:

 1. The injector is copied from its drop location to %USERPROFILE%\Local
    Settings\Application Data\jusched\jusched.exe

 2. Persistence is established by adding "%USERPROFILE%\Local
    Settings\Application Data\jusched\jusched.exe –s" to
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run key

 3. The original injector is deleted

If a path is not provided, then these steps are skipped. The first run of the
malware occurs without any arguments which causes the setup function to run as
described above. Once the malware is in place, it is ran with the "-s" argument,
which prevents duplication of the setup process.

Punkey also has an embedded resource that it writes to disk as
%USERPROFILE%\Local Settings\Application Data\jusched\Dllx64.dll. This DLL is
actually a 32-bit DLL that exports two functions for installing and uninstalling
window hooks for intercepting key presses.

C&C

Now that the environment is setup, Punkey can get down to business. A POST
request is made to a C&C server. An embedded list of C&C domains and/or IP
addresses are contacted in turn until successful communications are established.
In this case it had a domain and an IP in the list.



The POST requests are just information for the server, and no response is
checked.

In the 2015-01-12 version this operation is changed slightly. The client sends a
GET request to the C&C server first:



If the response to this is "ok", then a POST request is sent like the earlier
versions. This is not to be confused with the 200 OK received from a webserver,
but an actual string "ok" returned by the C&C code. An odd choice to be sure.

In one sample a completely broken IP address (with an extra period at the end)
was included, which prevented it from ever establishing communications. Another
sample had an extra space at the beginning of the domain, breaking the
resolution of domain. In the second case the backup IP address worked and the
malware could communicate.

CREDIT CARD SCANNING

Prior to beginning the scanning process, Punkey sends a POST request to the C&C
server.



A thread is spawned to look for card holder data (CHD) data and a process
blacklist is used to narrow down the search:

 * svchost.exe
 * iexplore.exe
 * explorer.exe
 * System
 * smss.exe
 * csrss.exe
 * winlogon.exe
 * lsass.exe
 * spoolsv.exe
 * alg.exe
 * wuauclt.exe

It also does not scan its own process space. The other processes are not so
lucky and have their process space scanned for CHD. Punkey has its very own
CHD-hunting algorithm (meaning it doesn't use regex), and any potential CHD is
checked using the Luhn algorithm for validity. If the checks pass, then the data
is encrypted and sent to the server. The thread continuously loops through the
processes looking for more CHD.

ENCRYPTION

The author used AES encryption with an embedded key. Like anyone will tell you,
no one should write their own encryption. So, like good developers, they went to
the Internet to find some encryption code. I know because I found the same code.
Thankfully they didn't bother changing a single digit of the key or the IV. The
embedded keys match some example code and sure enough, after downloading and
compiling a few changes I was successfully able to decrypt outgoing traffic. I
wrote a decryption tool in Ruby that is available at Trustwave's Github page.
Both CHD and keylogger data are encrypted with AES and sent to the C&C server
with the "unkey=" POST variable. It looks like this:



This traffic is AES encrypted, base64 encoded, then URL encoded. After reversing
the process the data sent looks like this (no, it's NOT a valid payment card
number):



This is where the naming fun comes into play! The combination of P(OST)unkey and
calling the malware author a punk was just too sweet to pass up.

UPDATE

A second thread has spawned that handles downloading arbitrary payloads from the
C&C server, as well as, checking for updates to Punkey itself. This gives Punkey
the ability to run additional tools on the system such as executing additional
reconnaissance tools or performing privilege escalation. This is a rare feature
for POS malware.

First, two POST requests are sent to the C&C server.



Note: In the 2015-01-12 version, these POST requests are removed since they have
already been sent to the C&C server.

A GET request is sent to the C&C server using the User-Agent: Example



There are two expected responses from the C&C server that define what happens
next. A "no file" response causes the thread to sleep for 20 minutes (45 minutes
in the 2015-01-12 version) and check again.

If the response contains "tempurl:", then either the C&C server has an update
available, or an arbitrary payload needs to be executed. The response from the
server looks like this:



The flags are considered set if they have a "1" in them. Temporary payloads are
downloaded to %USERPROFILE%\Local Settings\Application Data\jusched\temp.exe and
executed.

If the [Delete temp flag] is set, then temp.exe will be deleted on the next loop
of this thread (20 or 45 minutes depending on the version).

If the [Terminate self flag] is set, then the uploaddate: field must also be
set. The version contained in this field is compared to the hard-coded version
stored in the sample. If the server version is newer, then a global variable is
set, the new malware is downloaded and executed, and the current malware exits.
A POST is sent to the C&C server letting it know the current action.



Here is a table showing the available commands and actions that occur to make it
all a little clearer:



However, the author made a programming error here. Pointer addition is used to
move along the "uploaddate:" string, but they only added 8. My guess is that it
used to say "update:" or something along those lines. This results in a
comparison that looks like this:



The "te:" is what is left over after the first eight characters of "uploaddate:"
are processed. This comparison will always be true since ASCII 't' will always
be greater than any ASCII number. Depending on how the C&C panel is setup, this
could cause a repeated update process. Or more likely, the author doesn't update
often and didn't notice this bug.

KEYLOGGER

In the section titled "Startup", I told you Punkey dropped the DLLx64.dll in the
malware folder. Well, it finally gets around to using it. The DLL is loaded into
memory using LoadLibrary and the InstallHooks and UninstallHooks exports are
loaded. The thread ID of the current thread is passed to the InstallHooks
export. The window message hooks are installed and any WH_KEYSTROKE message will
be intercepted and sent back to this thread. The keylogger collects 200
characters, encrypts them with the same AES key it uses to encrypt CHD, and
sends them back to the C&C server with a POST request.



If errors occur during the keylogger setup, Punkey can send a couple of error
messages to the C&C server with a POST request containing "key=" followed by one
of the following errors:

 * "An error occurred while loading dll file. Error Code: %lu"
 * "An error occurred while installing keyboard hook."

64-BIT AND BEYOND!!

The 2014-10-19 version had both a 32-bit version and a 64-bit version. With the
exception of being compiled for different architectures, the two versions are
functionally the same. They're so similar in fact that the erroneous space in
front of the domain was found in the 64-bit version as well as the 32-bit
version. The 64-bit version also contained an actual 64-bit DLL used for
keylogging.



VARIANT VARIATIONS

Looking into the NewPOSthings samples discussed by TrendMicro and Arbor Networks
and comparing them to Punkey, there is mounting evidence that multiple threads
of development are occurring from the same code base. There are enough
similarities in strings, tactics, and C&C information to show a relationship
between these samples. However, Punkey shows quite a departure from the
commonalities shared by all the other variants. The following table describes
the differences in the operation of Punkey versus the other variants.



The glue tying all these samples together is the use of the keylogger. A very
similar DLL is dropped by all of them in the current working directory and uses
the same logic to intercept keystrokes. The use of some of the same C&C
information as other variants (I didn't slip up. This C&C information hasn't
been reported on ;)), the java theme, and a similar CHD-finding algorithm
throughout all the variants tie them to a very similar code base. Additionally,
the same process blacklist is used across variants as well.

CONCLUSION

Family definitions and version identification can be a difficult process.
Malware authors don't always cooperate and provide distinct enough samples to
easily classify exactly what malware was written by whom, and what version it
is. Punkey shows more than enough uniqueness to earn a new name, but it is clear
that there is heavy development occurring across different versions of a very
similar code base. Attribution of the actors is less important than being able
to identify the emerging threats and protecting your network data from attack.

In addition to the release of the decryption tool, you can find a YARA signature
I've created for detecting all three versions on disk or in memory at
Trustwave's Github page.

****UPDATE April 16, 2015****

Here are all of the hashes associated with Punkey that we've discovered:

32-bit Punkey

 * 1dd9e1e661070c0d90faeef75d5a487641a4bfb99c58841827ee5b97e6315eaf
 * 0a33332d200e52875c00ea98417b71621b77a9dc291e6a3bdbd69569aac670cf
 * e0c4696093c71a8bbcd2aef357afca6c7b7fbfe787406f6797636a67ae9b975d

64-bit Punkey

 * 6c7a26ac738c940cdce1e0fcbd9995994ce19332ea444c4ea87de52d2fe9713b

32-bit Dropped DLLs

 * e06f57b984d52153d28bdf9e2629feb16e2dbdea617702fb3397c959ee70ed68
 * 04678de7a93ca1fd7fc7eba1672ec04c9855160b4cace440cfcd3c66d8543026

64-bit Dropped DLL

 * 5ce1e0f1883d13561f9a1cef321db13c4fefddf4fed1d40e7e31f3b04595f527


RELATED SPIDERLABS BLOGS

1 month ago

BLACKBYTE RANSOMWARE – PT. 1 IN-DEPTH ANALYSIS

SpiderLabs Blog

1 month ago

BLACKBYTE RANSOMWARE – PT 2. CODE OBFUSCATION ANALYSIS

SpiderLabs Blog

8 months ago

HAFNIUM, CHINA CHOPPER AND ASP.NET RUNTIME

SpiderLabs Blog

 * About
 * Contact
 * Support
 * Careers
 * News Releases




STAY INFORMED

Sign up to receive the latest security news and trends from Trustwave.

Subscribe

SERVICES

 * Managed Detection & Response
 * Managed Security Services
 * Consulting & Professional Services
 * Penetration Testing
 * Database Security
 * Email Security
 * All Services

WHY TRUSTWAVE

 * The Trustwave Approach
 * Trustwave SpiderLabs
 * SpiderLabs Fusion Center
 * Trustwave Fusion Platform
 * Securing Operation Centers

PARTNERS

 * Global Technology Partners
 * PartnerOne Program
 * Become a Partner
 * PartnerOne Portal Login

COMPANY

 * Leadership Team
 * Our History
 * Awards & Accolades
 * Global Locations
 * Careers
 * Media Coverage
 * News Releases

SOLUTIONS BY TOPIC

 * Microsoft Exchange Server Attacks
 * Securing the Cloud
 * Rapidly Securing New Environments
 * Securing the IoT Landscape

SOLUTIONS BY INDUSTRY

 * Education
 * Financial Sector
 * Government
 * Healthcare
 * Hotels
 * Legal
 * Payment Services
 * Restaurants
 * Retail

SOLUTIONS BY REGULATION

 * Data Privacy
 * CMMC
 * FISMA
 * GDPR
 * GLBA
 * HIPAA
 * ISO
 * PCI
 * SOX

BLOGS

 * Trustwave Blog
 * SpiderLabs Blog

UPCOMING

 * Webinars
 * Events

MEDIA & ASSETS

 * Document Library
 * Video Library
 * Analyst Reports
 * Webinar Replays
 * Case Studies
 * Trials & Evaluations

NOTICES

 * Security Advisories
 * Software Updates

HELP

 * Contact
 * Support

English German (Deutsche) Japanese (日本語)

 * Legal
 * Terms of Use
 * Privacy Policy

Copyright © 2021 Trustwave Holdings, Inc. All rights reserved.

Loading



HELP US STOP THE ROBOT UPRISING

This is a bot-free zone. Please check the box to let us know you're human.




THANK YOU

Download Now

--------------------------------------------------------------------------------

Read complimentary reports and insightful stories in the
Trustwave Resource Center


THANK YOU

One of our sales specialists will be in touch shortly.

--------------------------------------------------------------------------------

Read complimentary reports and insightful stories in the
Trustwave Resource Center