S0517 Pillowmint
Pillowmint is a point-of-sale malware used by FIN7 designed to capture credit card information.1
| Item | Value |
|---|---|
| ID | S0517 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.2 |
| Created | 27 July 2020 |
| Last Modified | 26 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1560 | Archive Collected Data | Pillowmint has encrypted stolen credit card information with AES and further encoded it with Base64.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | Pillowmint has used a PowerShell script to install a shim database.1 |
| enterprise | T1005 | Data from Local System | Pillowmint has collected credit card data using native API functions.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Pillowmint has been decompressed by included shellcode prior to being launched.1 |
| enterprise | T1546 | Event Triggered Execution | - |
| enterprise | T1546.011 | Application Shimming | Pillowmint has used a malicious shim database to maintain persistence.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Pillowmint has deleted the filepath %APPDATA%\Intel\devmonsrv.exe.1 |
| enterprise | T1070.009 | Clear Persistence | Pillowmint can uninstall the malicious service from an infected machine.1 |
| enterprise | T1112 | Modify Registry | Pillowmint has modified the Registry key HKLM\SOFTWARE\Microsoft\DRM to store a malicious payload.1 |
| enterprise | T1106 | Native API | Pillowmint has used multiple native Windows APIs to execute and conduct process injections.1 |
| enterprise | T1027 | Obfuscated Files or Information | Pillowmint has been compressed and stored within a registry key. Pillowmint has also obfuscated the AES key used for encryption.1 |
| enterprise | T1027.011 | Fileless Storage | Pillowmint has stored a compressed payload in the Registry key HKLM\SOFTWARE\Microsoft\DRM.1 |
| enterprise | T1057 | Process Discovery | Pillowmint can iterate through running processes every six seconds collecting a list of processes to capture from later.1 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.004 | Asynchronous Procedure Call | Pillowmint has used the NtQueueApcThread syscall to inject code into svchost.exe.1 |
| enterprise | T1012 | Query Registry | Pillowmint has used shellcode which reads code stored in the registry keys \REGISTRY\SOFTWARE\Microsoft\DRM using the native Windows API as well as read HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces as part of its C2.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0046 | FIN7 | 12 |