RawPOS
Associated Software Descriptions |
|
| Name | Description |
|---|---|
| FIENDCRY | The FIENDCRY component is a memory scraper based on MemPDump that scans through process memory looking for regular expressions. Its stage 1 component scans all processes, and its stage 2 component targets a specific process of interest. (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: Github Mempdump) (Citation: DarkReading FireEye FIN5 Oct 2015) |
| DUEBREW | The DUEBREW component is a Perl2Exe binary launcher. (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: DarkReading FireEye FIN5 Oct 2015) |
| DRIFTWOOD | The DRIFTWOOD component is a Perl2Exe compiled Perl script used by G0053 after they have identified data of interest on victims. (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: DarkReading FireEye FIN5 Oct 2015) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1560 | .003 | Archive Collected Data: Archive via Custom Method |
RawPOS encodes credit card data it collected from the victim with XOR.(Citation: TrendMicro RawPOS April 2015)(Citation: Mandiant FIN5 GrrCON Oct 2016)(Citation: Visa RawPOS March 2015) |
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
RawPOS installs itself as a service to maintain persistence.(Citation: Kroll RawPOS Jan 2017)(Citation: TrendMicro RawPOS April 2015)(Citation: Mandiant FIN5 GrrCON Oct 2016) |
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Data captured by RawPOS is placed in a temporary file under a directory named "memdump".(Citation: Kroll RawPOS Jan 2017) |
| Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
New services created by RawPOS are made to appear like legitimate Windows services, with names such as "Windows Management Help Service", "Microsoft Support", and "Windows Advanced Task Manager".(Citation: Kroll RawPOS Jan 2017)(Citation: TrendMicro RawPOS April 2015)(Citation: Mandiant FIN5 GrrCON Oct 2016) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0053 | FIN5 |
(Citation: DarkReading FireEye FIN5 Oct 2015) (Citation: Mandiant FIN5 GrrCON Oct 2016) |
References
- Nesbit, B. and Ackerman, D. (2017, January). Malware Analysis Report - RawPOS Malware: Deconstructing an Intruder’s Toolkit. Retrieved October 4, 2017.
- TrendLabs Security Intelligence Blog. (2015, April). RawPOS Technical Brief. Retrieved October 4, 2017.
- Visa. (2015, March). Visa Security Alert: "RawPOS" Malware Targeting Lodging Merchants. Retrieved October 6, 2017.
- Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
- Higgins, K. (2015, October 13). Prolific Cybercrime Gang Favors Legit Login Credentials. Retrieved October 4, 2017.
- DiabloHorn. (2015, March 22). mempdump. Retrieved October 6, 2017.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.