S0169 RawPOS
RawPOS is a point-of-sale (POS) malware family that searches for cardholder data on victims. It has been in use since at least 2008. 1 2 3 FireEye divides RawPOS into three components: FIENDCRY, DUEBREW, and DRIFTWOOD. 4 5
| Item | Value |
|---|---|
| ID | S0169 |
| Associated Names | FIENDCRY, DUEBREW, DRIFTWOOD |
| Type | MALWARE |
| Version | 1.1 |
| Created | 16 January 2018 |
| Last Modified | 30 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| FIENDCRY | The FIENDCRY component is a memory scraper based on MemPDump that scans through process memory looking for regular expressions. Its stage 1 component scans all processes, and its stage 2 component targets a specific process of interest. 4 6 5 |
| DUEBREW | The DUEBREW component is a Perl2Exe binary launcher. 4 5 |
| DRIFTWOOD | The DRIFTWOOD component is a Perl2Exe compiled Perl script used by G0053 after they have identified data of interest on victims. 4 5 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.003 | Archive via Custom Method | RawPOS encodes credit card data it collected from the victim with XOR.243 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | RawPOS installs itself as a service to maintain persistence.124 |
| enterprise | T1005 | Data from Local System | RawPOS dumps memory from specific processes on a victim system, parses the dumped files, and scrapes them for credit card data.124 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | Data captured by RawPOS is placed in a temporary file under a directory named “memdump”.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.004 | Masquerade Task or Service | New services created by RawPOS are made to appear like legitimate Windows services, with names such as “Windows Management Help Service”, “Microsoft Support”, and “Windows Advanced Task Manager”.124 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0053 | FIN5 | 54 |
References
-
Nesbit, B. and Ackerman, D. (2017, January). Malware Analysis Report - RawPOS Malware: Deconstructing an Intruder’s Toolkit. Retrieved October 4, 2017. ↩↩↩↩↩
-
TrendLabs Security Intelligence Blog. (2015, April). RawPOS Technical Brief. Retrieved October 4, 2017. ↩↩↩↩↩
-
Visa. (2015, March). Visa Security Alert: “RawPOS” Malware Targeting Lodging Merchants. Retrieved October 6, 2017. ↩↩
-
Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017. ↩↩↩↩↩↩↩↩↩
-
Higgins, K. (2015, October 13). Prolific Cybercrime Gang Favors Legit Login Credentials. Retrieved October 4, 2017. ↩↩↩↩↩
-
DiabloHorn. (2015, March 22). mempdump. Retrieved October 6, 2017. ↩