Pillowmint
Pillowmint is a point-of-sale malware used by FIN7 designed to capture credit card information.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1546 | .011 | 事件触发执行: Application Shimming |
Pillowmint has used a malicious shim database to maintain persistence.[1] |
| Enterprise | T1005 | 从本地系统获取数据 |
Pillowmint has collected credit card data using native API functions.[1] |
|
| Enterprise | T1112 | 修改注册表 |
Pillowmint has modified the Registry key |
|
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Pillowmint has been decompressed by included shellcode prior to being launched.[1] |
|
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell |
Pillowmint has used a PowerShell script to install a shim database.[1] |
| Enterprise | T1560 | 归档收集数据 |
Pillowmint has encrypted stolen credit card information with AES and further encoded it with Base64.[1] |
|
| Enterprise | T1106 | 本机API |
Pillowmint has used multiple native Windows APIs to execute and conduct process injections.[1] |
|
| Enterprise | T1012 | 查询注册表 |
Pillowmint has used shellcode which reads code stored in the registry keys |
|
| Enterprise | T1027 | 混淆文件或信息 |
Pillowmint has been compressed and stored within a registry key. Pillowmint has also obfuscated the AES key used for encryption.[1] |
|
| .011 | Fileless Storage |
Pillowmint has stored a compressed payload in the Registry key |
||
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
Pillowmint has deleted the filepath |
| .009 | 移除指标: Clear Persistence |
Pillowmint can uninstall the malicious service from an infected machine.[1] |
||
| Enterprise | T1057 | 进程发现 |
Pillowmint can iterate through running processes every six seconds collecting a list of processes to capture from later.[1] |
|
| Enterprise | T1055 | .004 | 进程注入: Asynchronous Procedure Call |
Pillowmint has used the NtQueueApcThread syscall to inject code into svchost.exe.[1] |