Skip to content

S0197 PUNCHTRACK

PUNCHTRACK is non-persistent point of sale (POS) system malware utilized by FIN8 to scrape payment card data. 1 2

Item Value
ID S0197
Associated Names PSVC
Type MALWARE
Version 1.1
Created 18 April 2018
Last Modified 17 March 2020
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
PSVC 2

Techniques Used

Domain ID Name Use
enterprise T1005 Data from Local System PUNCHTRACK scrapes memory for properly formatted payment card data.12
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging PUNCHTRACK aggregates collected data in a tmp file.2
enterprise T1027 Obfuscated Files or Information PUNCHTRACK is loaded and executed by a highly obfuscated launcher.1

Groups That Use This Software

ID Name References
G0061 FIN8 1

References

  1. Kizhakkinan, D. et al.. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018. 

  2. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.