Skip to content

S0517 Pillowmint

Pillowmint is a point-of-sale malware used by FIN7 designed to capture credit card information.1

Item Value
ID S0517
Associated Names
Version 1.2
Created 27 July 2020
Last Modified 26 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1560 Archive Collected Data Pillowmint has encrypted stolen credit card information with AES and further encoded it with Base64.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Pillowmint has used a PowerShell script to install a shim database.1
enterprise T1005 Data from Local System Pillowmint has collected credit card data using native API functions.1
enterprise T1140 Deobfuscate/Decode Files or Information Pillowmint has been decompressed by included shellcode prior to being launched.1
enterprise T1546 Event Triggered Execution -
enterprise T1546.011 Application Shimming Pillowmint has used a malicious shim database to maintain persistence.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Pillowmint has deleted the filepath %APPDATA%\Intel\devmonsrv.exe.1
enterprise T1070.009 Clear Persistence Pillowmint can uninstall the malicious service from an infected machine.1
enterprise T1112 Modify Registry Pillowmint has modified the Registry key HKLM\SOFTWARE\Microsoft\DRM to store a malicious payload.1
enterprise T1106 Native API Pillowmint has used multiple native Windows APIs to execute and conduct process injections.1
enterprise T1027 Obfuscated Files or Information Pillowmint has been compressed and stored within a registry key. Pillowmint has also obfuscated the AES key used for encryption.1
enterprise T1027.011 Fileless Storage Pillowmint has stored a compressed payload in the Registry key HKLM\SOFTWARE\Microsoft\DRM.1
enterprise T1057 Process Discovery Pillowmint can iterate through running processes every six seconds collecting a list of processes to capture from later.1
enterprise T1055 Process Injection -
enterprise T1055.004 Asynchronous Procedure Call Pillowmint has used the NtQueueApcThread syscall to inject code into svchost.exe.1
enterprise T1012 Query Registry Pillowmint has used shellcode which reads code stored in the registry keys \REGISTRY\SOFTWARE\Microsoft\DRM using the native Windows API as well as read HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces as part of its C2.1

Groups That Use This Software

ID Name References
G0046 FIN7 12