Associated Software Descriptions
The FIENDCRY component is a memory scraper based on MemPDump that scans through process memory looking for regular expressions. Its stage 1 component scans all processes, and its stage 2 component targets a specific process of interest.   
|Enterprise||T1560||.003||Archive Collected Data: Archive via Custom Method|
|Enterprise||T1543||.003||Create or Modify System Process: Windows Service|
|Enterprise||T1005||Data from Local System|
|Enterprise||T1074||.001||Data Staged: Local Data Staging|
|Enterprise||T1036||.004||Masquerading: Masquerade Task or Service||
New services created by RawPOS are made to appear like legitimate Windows services, with names such as "Windows Management Help Service", "Microsoft Support", and "Windows Advanced Task Manager".
Groups That Use This Software
- Nesbit, B. and Ackerman, D. (2017, January). Malware Analysis Report - RawPOS Malware: Deconstructing an Intruder’s Toolkit. Retrieved October 4, 2017.
- TrendLabs Security Intelligence Blog. (2015, April). RawPOS Technical Brief. Retrieved October 4, 2017.
- Visa. (2015, March). Visa Security Alert: "RawPOS" Malware Targeting Lodging Merchants. Retrieved October 6, 2017.
- Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
- Higgins, K. (2015, October 13). Prolific Cybercrime Gang Favors Legit Login Credentials. Retrieved October 4, 2017.
- DiabloHorn. (2015, March 22). mempdump. Retrieved October 6, 2017.