Skip to content

S0169 RawPOS

RawPOS is a point-of-sale (POS) malware family that searches for cardholder data on victims. It has been in use since at least 2008. 1 2 3 FireEye divides RawPOS into three components: FIENDCRY, DUEBREW, and DRIFTWOOD. 4 5

Item Value
ID S0169
Version 1.1
Created 16 January 2018
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
FIENDCRY The FIENDCRY component is a memory scraper based on MemPDump that scans through process memory looking for regular expressions. Its stage 1 component scans all processes, and its stage 2 component targets a specific process of interest. 4 6 5
DUEBREW The DUEBREW component is a Perl2Exe binary launcher. 4 5
DRIFTWOOD The DRIFTWOOD component is a Perl2Exe compiled Perl script used by G0053 after they have identified data of interest on victims. 4 5

Techniques Used

Domain ID Name Use
enterprise T1560 Archive Collected Data -
enterprise T1560.003 Archive via Custom Method RawPOS encodes credit card data it collected from the victim with XOR.243
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service RawPOS installs itself as a service to maintain persistence.124
enterprise T1005 Data from Local System RawPOS dumps memory from specific processes on a victim system, parses the dumped files, and scrapes them for credit card data.124
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging Data captured by RawPOS is placed in a temporary file under a directory named “memdump”.1
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service New services created by RawPOS are made to appear like legitimate Windows services, with names such as “Windows Management Help Service”, “Microsoft Support”, and “Windows Advanced Task Manager”.124

Groups That Use This Software

ID Name References
G0053 FIN5 54


Back to top