SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pillowmint (Back to overview)

PILLOWMINT

Actor(s): Anunak


According to FireEye, PILLOWMINT is a Point-of-Sale malware tool used to scrape track 1 and track 2 payment card data from memory.
Scraped payment card data is encrypted and stored in the registry and as plaintext in a file (T1074: Data Staged)
Contains additional backdoor capabilities including:
Running processes
Downloading and executing files (T1105: Remote File Copy)
Downloading and injecting DLLs (T1055: Process Injection)
Communicates with a command and control (C2) server over HTTP using AES encrypted messages
(T1071: Standard Application Layer Protocol)
(T1032: Standard Cryptographic Protocol)

References
2021-08-30CrowdStrikeEric Loui, Josh Reynolds
@online{loui:20210830:carbon:66be3f3, author = {Eric Loui and Josh Reynolds}, title = {{CARBON SPIDER Embraces Big Game Hunting, Part 1}}, date = {2021-08-30}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/}, language = {English}, urldate = {2021-08-31} } CARBON SPIDER Embraces Big Game Hunting, Part 1
Bateleur Griffon Carbanak DarkSide JSSLoader PILLOWMINT REvil
2020-06-22TrustwaveRodel Mendrez
@online{mendrez:20200622:pillowmint:c696f56, author = {Rodel Mendrez}, title = {{Pillowmint: FIN7’s Monkey Thief}}, date = {2020-06-22}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/}, language = {English}, urldate = {2020-06-24} } Pillowmint: FIN7’s Monkey Thief
PILLOWMINT
2018-10-01FireEyeRegina Elwell, Katie Nickels
@techreport{elwell:20181001:attcking:3c6d888, author = {Regina Elwell and Katie Nickels}, title = {{ATT&CKing FIN7}}, date = {2018-10-01}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf}, language = {English}, urldate = {2020-06-25} } ATT&CKing FIN7
Bateleur BELLHOP Griffon ANTAK POWERPIPE POWERSOURCE HALFBAKED BABYMETAL Carbanak Cobalt Strike DNSMessenger DRIFTPIN PILLOWMINT SocksBot
Yara Rules
[TLP:WHITE] win_pillowmint_auto (20220808 | Detects win.pillowmint.)
rule win_pillowmint_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.pillowmint."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pillowmint"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 488d1527422000 48833d????????10 480f4315???????? 488d8d08050000 e8???????? 4885c0 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488d1527422000       | jne                 0x66b
            //   48833d????????10     |                     
            //   480f4315????????     |                     
            //   488d8d08050000       | dec                 eax
            //   e8????????           |                     
            //   4885c0               | mov                 ecx, dword ptr [ebx + edi + 0x28]

        $sequence_1 = { e8???????? 488b4b28 e8???????? 488d0572f40200 488903 40f6c701 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   488b4b28             | mov                 ecx, esi
            //   e8????????           |                     
            //   488d0572f40200       | dec                 ecx
            //   488903               | mov                 dword ptr [esi], edi
            //   40f6c701             | test                eax, eax

        $sequence_2 = { ff15???????? 483305???????? 488d155e970100 488bcb 488905???????? ff15???????? 488d1567970100 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   483305????????       |                     
            //   488d155e970100       | lea                 edx, [esp + 0x50]
            //   488bcb               | dec                 eax
            //   488905????????       |                     
            //   ff15????????         |                     
            //   488d1567970100       | lea                 ecx, [esp + 0x20]

        $sequence_3 = { 488d4c2440 e8???????? 90 4c8d0582610300 488bd0 488d4c2420 e8???????? }
            // n = 7, score = 100
            //   488d4c2440           | nop                 
            //   e8????????           |                     
            //   90                   | dec                 esp
            //   4c8d0582610300       | lea                 eax, [0x2d87f]
            //   488bd0               | dec                 eax
            //   488d4c2420           | lea                 edx, [esp + 0x20]
            //   e8????????           |                     

        $sequence_4 = { 4c896c2430 c644242000 48837d9810 7209 488b4d80 e8???????? 33c9 }
            // n = 7, score = 100
            //   4c896c2430           | lea                 eax, [esi + 1]
            //   c644242000           | xor                 edx, edx
            //   48837d9810           | cmp                 byte ptr [esp + 0x20], 0
            //   7209                 | jne                 0xfa
            //   488b4d80             | inc                 ebp
            //   e8????????           |                     
            //   33c9                 | xor                 eax, eax

        $sequence_5 = { 48ffcb 4803fb 488d5801 ebc8 488d45d7 4c8b45d7 }
            // n = 6, score = 100
            //   48ffcb               | xor                 eax, eax
            //   4803fb               | dec                 eax
            //   488d5801             | mov                 edx, eax
            //   ebc8                 | dec                 eax
            //   488d45d7             | lea                 ecx, [ebp - 0x38]
            //   4c8b45d7             | nop                 

        $sequence_6 = { 488b8c24a8030000 e8???????? 488d942410010000 488bcb ff15???????? 85c0 0f8520ffffff }
            // n = 7, score = 100
            //   488b8c24a8030000     | nop                 
            //   e8????????           |                     
            //   488d942410010000     | dec                 ecx
            //   488bcb               | or                  ecx, 0xffffffff
            //   ff15????????         |                     
            //   85c0                 | inc                 ebp
            //   0f8520ffffff         | xor                 eax, eax

        $sequence_7 = { 41884008 8ac2 c0e202 02c2 02c0 2ac8 418bc3 }
            // n = 7, score = 100
            //   41884008             | lea                 eax, [eax - 0x111]
            //   8ac2                 | lea                 eax, [edx + eax*2]
            //   c0e202               | dec                 ecx
            //   02c2                 | cmovae              eax, eax
            //   02c0                 | dec                 eax
            //   2ac8                 | sub                 ecx, eax
            //   418bc3               | dec                 eax

        $sequence_8 = { 75f6 488bd0 488d4dd8 e8???????? 90 4c8d054e160300 }
            // n = 6, score = 100
            //   75f6                 | jne                 0x21f
            //   488bd0               | dec                 eax
            //   488d4dd8             | mov                 dword ptr [eax + 0x18], ebx
            //   e8????????           |                     
            //   90                   | dec                 eax
            //   4c8d054e160300       | mov                 dword ptr [eax + 0x20], esi

        $sequence_9 = { 807d6002 754e 488d05486cfdff d1eb 4c8d4ddc 4a8b8ce8f0630400 498bd4 }
            // n = 7, score = 100
            //   807d6002             | je                  0x121d
            //   754e                 | mov                 edx, 0x2c0
            //   488d05486cfdff       | mov                 ecx, 1
            //   d1eb                 | dec                 eax
            //   4c8d4ddc             | sub                 esp, 0x20
            //   4a8b8ce8f0630400     | dec                 eax
            //   498bd4               | cmp                 dword ptr [ecx + 0x90], 0

    condition:
        7 of them and filesize < 4667392
}
Download all Yara Rules