RawPOS is a point-of-sale (POS) malware family that searches for cardholder data on victims. It has been in use since at least 2008.    FireEye divides RawPOS into three components: FIENDCRY, DUEBREW, and DRIFTWOOD.  
Associated Software Descriptions
|FIENDCRY||The FIENDCRY component is a memory scraper based on MemPDump that scans through process memory looking for regular expressions. Its stage 1 component scans all processes, and its stage 2 component targets a specific process of interest.   |
|DUEBREW||The DUEBREW component is a Perl2Exe binary launcher.  |
|DRIFTWOOD||The DRIFTWOOD component is a Perl2Exe compiled Perl script used by G0053 after they have identified data of interest on victims.  |
|Enterprise||T1022||Data Encrypted||RawPOS encodes credit card data it collected from the victim with XOR.|
|Enterprise||T1005||Data from Local System||RawPOS dumps memory from specific processes on a victim system, parses the dumped files, and scrapes them for credit card data.|
|Enterprise||T1074||Data Staged||Data captured by RawPOS is placed in a temporary file under a directory named "memdump".|
|Enterprise||T1036||Masquerading||New services created by RawPOS are made to appear like legitimate Windows services, with names such as "Windows Management Help Service", "Microsoft Support", and "Windows Advanced Task Manager".|
|Enterprise||T1050||New Service||RawPOS installs itself as a service to maintain persistence.|
Groups that use this software:FIN5
- Nesbit, B. and Ackerman, D. (2017, January). Malware Analysis Report - RawPOS Malware: Deconstructing an Intruder’s Toolkit. Retrieved October 4, 2017.
- TrendLabs Security Intelligence Blog. (2015, April). RawPOS Technical Brief. Retrieved October 4, 2017.
- Visa. (2015, March). Visa Security Alert: "RawPOS" Malware Targeting Lodging Merchants. Retrieved October 6, 2017.
- Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
- Higgins, K. (2015, October 13). Prolific Cybercrime Gang Favors Legit Login Credentials. Retrieved October 4, 2017.
- DiabloHorn. (2015, March 22). mempdump. Retrieved October 6, 2017.