Skip to content

S0197 PUNCHTRACK

PUNCHTRACK is non-persistent point of sale (POS) system malware utilized by FIN8 to scrape payment card data. 2 1

Item Value
ID S0197
Associated Names PSVC
Type MALWARE
Version 1.1
Created 18 April 2018
Last Modified 16 April 2025
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
PSVC 1

Techniques Used

Domain ID Name Use
enterprise T1005 Data from Local System PUNCHTRACK scrapes memory for properly formatted payment card data.21
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging PUNCHTRACK aggregates collected data in a tmp file.1
enterprise T1027 Obfuscated Files or Information PUNCHTRACK is loaded and executed by a highly obfuscated launcher.2

Groups That Use This Software

ID Name References
G0061 FIN8 2

References

  1. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. 

  2. Kizhakkinan, D., et al. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.