Pillowmint

Pillowmint is a point-of-sale malware used by FIN7 designed to capture credit card information.[1]

ID: S0517
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 27 July 2020
Last Modified: 06 October 2020

Techniques Used

Domain ID Name Use
Enterprise T1560 Archive Collected Data

Pillowmint has encrypted stolen credit card information with AES and further encoded it with Base64.[1]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Pillowmint has used a PowerShell script to install a shim database.[1]

Enterprise T1005 Data from Local System

Pillowmint has collected credit card data using native API functions.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Pillowmint has been decompressed by included shellcode prior to being launched.[1]

Enterprise T1546 .011 Event Triggered Execution: Application Shimming

Pillowmint has used a malicious shim database to maintain persistence.[1]

Enterprise T1070 Indicator Removal on Host

Pillowmint can uninstall the malicious service from an infected machine.[1]

.004 File Deletion

Pillowmint has deleted the filepath %APPDATA%\Intel\devmonsrv.exe.[1]

Enterprise T1112 Modify Registry

Pillowmint has stored its malicious payload in the registry key HKLM\SOFTWARE\Microsoft\DRM.[1]

Enterprise T1106 Native API

Pillowmint has used multiple native Windows APIs to execute and conduct process injections.[1]

Enterprise T1027 Obfuscated Files or Information

Pillowmint has been compressed and stored within a registry key. Pillowmint has also obfuscated the AES key used for encryption.[1]

Enterprise T1057 Process Discovery

Pillowmint can iterate through running processes every six seconds collecting a list of processes to capture from later.[1]

Enterprise T1055 .004 Process Injection: Asynchronous Procedure Call

Pillowmint has used the NtQueueApcThread syscall to inject code into svchost.exe.[1]

Enterprise T1012 Query Registry

Pillowmint has used shellcode which reads code stored in the registry keys \REGISTRY\SOFTWARE\Microsoft\DRM using the native Windows API as well as read HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces as part of its C2.[1]

Groups That Use This Software

ID Name References
G0046 FIN7

[1]

References