RawPOS

RawPOS is a point-of-sale (POS) malware family that searches for cardholder data on victims. It has been in use since at least 2008. [1] [2] [3] FireEye divides RawPOS into three components: FIENDCRY, DUEBREW, and DRIFTWOOD. [4] [5]

ID: S0169
Associated Software: FIENDCRY, DUEBREW, DRIFTWOOD

Type: MALWARE
Contributors: Walker Johnson

Platforms: Windows

Version: 1.0

Associated Software Descriptions

NameDescription
FIENDCRYThe FIENDCRY component is a memory scraper based on MemPDump that scans through process memory looking for regular expressions. Its stage 1 component scans all processes, and its stage 2 component targets a specific process of interest. [4] [6] [5]
DUEBREWThe DUEBREW component is a Perl2Exe binary launcher. [4] [5]
DRIFTWOODThe DRIFTWOOD component is a Perl2Exe compiled Perl script used by G0053 after they have identified data of interest on victims. [4] [5]

Techniques Used

DomainIDNameUse
EnterpriseT1022Data EncryptedRawPOS encodes credit card data it collected from the victim with XOR.[2][4][3]
EnterpriseT1005Data from Local SystemRawPOS dumps memory from specific processes on a victim system, parses the dumped files, and scrapes them for credit card data.[1][2][4]
EnterpriseT1074Data StagedData captured by RawPOS is placed in a temporary file under a directory named "memdump".[1]
EnterpriseT1036MasqueradingNew services created by RawPOS are made to appear like legitimate Windows services, with names such as "Windows Management Help Service", "Microsoft Support", and "Windows Advanced Task Manager".[1][2][4]
EnterpriseT1050New ServiceRawPOS installs itself as a service to maintain persistence.[1][2][4]

Groups

Groups that use this software:

FIN5

References