RawPOS is a point-of-sale (POS) malware family that searches for cardholder data on victims. It has been in use since at least 2008. [1] [2] [3] FireEye divides RawPOS into three components: FIENDCRY, DUEBREW, and DRIFTWOOD. [4] [5]

ID: S0169
Platforms: Windows
Contributors: Walker Johnson
Version: 1.1
Created: 16 January 2018
Last Modified: 30 March 2020

Associated Software Descriptions

Name Description

The FIENDCRY component is a memory scraper based on MemPDump that scans through process memory looking for regular expressions. Its stage 1 component scans all processes, and its stage 2 component targets a specific process of interest. [4] [6] [5]


The DUEBREW component is a Perl2Exe binary launcher. [4] [5]


The DRIFTWOOD component is a Perl2Exe compiled Perl script used by G0053 after they have identified data of interest on victims. [4] [5]

Techniques Used

Domain ID Name Use
Enterprise T1560 .003 Archive Collected Data: Archive via Custom Method

RawPOS encodes credit card data it collected from the victim with XOR.[2][4][3]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

RawPOS installs itself as a service to maintain persistence.[1][2][4]

Enterprise T1005 Data from Local System

RawPOS dumps memory from specific processes on a victim system, parses the dumped files, and scrapes them for credit card data.[1][2][4]

Enterprise T1074 .001 Data Staged: Local Data Staging

Data captured by RawPOS is placed in a temporary file under a directory named "memdump".[1]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

New services created by RawPOS are made to appear like legitimate Windows services, with names such as "Windows Management Help Service", "Microsoft Support", and "Windows Advanced Task Manager".[1][2][4]

Groups That Use This Software

ID Name References
G0053 FIN5