PinkKite is a point-of-sale (PoS) malware, first identified in 2017 by Kroll Cyber Security during an investigation of a large PoS malware campaign. PinkKite is a small piece of malware at less than 6k in size - similar to TinyPOS and AbaddonPOS. The malware has built-in persistence mechanisms, hard-coded double-XOR encryption, and uses a clearinghouse - from either South Korea, Canada, or the Netherlands - for exfiltrating data. This method for exfiltrating data is more noticeable from an investigative point-of-view, as opposed to using a C2 server. The PinkKite executable attempts to disguise as legitimate Windows programs, using naming conventions such as svchost.exe, cgfmon.exe, and ag.exe. Once PinkKite scrapes the payment card data from the infected system's memory, it uses a Luhn algorithm to validate the card numbers. The threat actors behind PinkKite gain access to the company's network and move laterally to find the Local Security Authority Subsystem Service (LSASS) and use Mimikatz to discover system credentials. Once the network is compromised, the attackers exfiltrate the card data via an RDP session.

Technical Details

  • Additional technical information can be found from Kroll Security here and from Security Affairs here.