SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pillowmint (Back to overview)

PILLOWMINT

Actor(s): Anunak


According to FireEye, PILLOWMINT is a Point-of-Sale malware tool used to scrape track 1 and track 2 payment card data from memory.
Scraped payment card data is encrypted and stored in the registry and as plaintext in a file (T1074: Data Staged)
Contains additional backdoor capabilities including:
Running processes
Downloading and executing files (T1105: Remote File Copy)
Downloading and injecting DLLs (T1055: Process Injection)
Communicates with a command and control (C2) server over HTTP using AES encrypted messages
(T1071: Standard Application Layer Protocol)
(T1032: Standard Cryptographic Protocol)

References
2020-06-22TrustwaveRodel Mendrez
@online{mendrez:20200622:pillowmint:c696f56, author = {Rodel Mendrez}, title = {{Pillowmint: FIN7’s Monkey Thief}}, date = {2020-06-22}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/}, language = {English}, urldate = {2020-06-24} } Pillowmint: FIN7’s Monkey Thief
PILLOWMINT
2018-10-01FireEyeRegina Elwell, Katie Nickels
@techreport{elwell:20181001:attcking:3c6d888, author = {Regina Elwell and Katie Nickels}, title = {{ATT&CKing FIN7}}, date = {2018-10-01}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf}, language = {English}, urldate = {2020-06-25} } ATT&CKing FIN7
Bateleur BELLHOP Griffon ANTAK POWERPIPE POWERSOURCE HALFBAKED BABYMETAL Carbanak Cobalt Strike DNSMessenger DRIFTPIN PILLOWMINT SocksBot
Yara Rules
[TLP:WHITE] win_pillowmint_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_pillowmint_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pillowmint"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4833c4 4889842410060000 4c8bfa 448be1 4889942490000000 488bca }
            // n = 6, score = 100
            //   4833c4               | mov                 dword ptr [ebp - 0x58], eax
            //   4889842410060000     | dec                 eax
            //   4c8bfa               | lea                 edx, [ebp - 0x58]
            //   448be1               | dec                 eax
            //   4889942490000000     | lea                 ecx, [ebp - 0x50]
            //   488bca               | dec                 eax

        $sequence_1 = { 4c0f44c7 488d942440010000 eb0d 41b809000000 488d15760f0300 e8???????? }
            // n = 6, score = 100
            //   4c0f44c7             | inc                 esi
            //   488d942440010000     | movzx               edi, byte ptr [eax + esi]
            //   eb0d                 | dec                 eax
            //   41b809000000         | mov                 edi, dword ptr [ebp - 0x79]
            //   488d15760f0300       | dec                 eax
            //   e8????????           |                     

        $sequence_2 = { 4533c0 488d542460 488d4db0 e8???????? 803d????????00 0f846e010000 33d2 }
            // n = 7, score = 100
            //   4533c0               | lea                 edx, [ebp + 0xc0]
            //   488d542460           | dec                 eax
            //   488d4db0             | lea                 ecx, [0x39395]
            //   e8????????           |                     
            //   803d????????00       |                     
            //   0f846e010000         | dec                 esp
            //   33d2                 | mov                 eax, edi

        $sequence_3 = { 488b95c8000000 488b8dc0000000 e8???????? 4883c420 5d c3 }
            // n = 6, score = 100
            //   488b95c8000000       | mov                 eax, 0x8000
            //   488b8dc0000000       | dec                 eax
            //   e8????????           |                     
            //   4883c420             | mov                 ecx, ebx
            //   5d                   | dec                 eax
            //   c3                   | mov                 ebx, dword ptr [esp + 0x30]

        $sequence_4 = { 4883ec20 498bd8 e8???????? 4c8d4820 66c740180000 4d85c9 741d }
            // n = 7, score = 100
            //   4883ec20             | mov                 byte ptr [ebx + 8], 1
            //   498bd8               | dec                 eax
            //   e8????????           |                     
            //   4c8d4820             | mov                 eax, ebx
            //   66c740180000         | inc                 ecx
            //   4d85c9               | cmp                 byte ptr [ecx + 0x19], 0
            //   741d                 | je                  0xf8c

        $sequence_5 = { 4833cc e8???????? 4c8d9c24e0010000 498b5b20 498b7330 498b7b38 498be3 }
            // n = 7, score = 100
            //   4833cc               | dec                 esp
            //   e8????????           |                     
            //   4c8d9c24e0010000     | lea                 ecx, [ebp - 0x24]
            //   498b5b20             | inc                 esp
            //   498b7330             | mov                 eax, ebx
            //   498b7b38             | lea                 eax, [ecx + 1]
            //   498be3               | inc                 ebp

        $sequence_6 = { e8???????? 488b08 49890e 41c6460801 498bc6 e9???????? 41807f1900 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488b08               | dec                 eax
            //   49890e               | lea                 ecx, [0x269ea]
            //   41c6460801           | dec                 eax
            //   498bc6               | cmp                 eax, ecx
            //   e9????????           |                     
            //   41807f1900           | je                  0x16d

        $sequence_7 = { ffc2 48ffc1 498d040b 4883f814 0f8d92050000 ebce 4863c2 }
            // n = 7, score = 100
            //   ffc2                 | lea                 ecx, [0x40ec6]
            //   48ffc1               | dec                 eax
            //   498d040b             | lea                 ebx, [ebp - 0x39]
            //   4883f814             | dec                 ecx
            //   0f8d92050000         | sub                 ebx, esp
            //   ebce                 | dec                 eax
            //   4863c2               | sar                 ebx, 2

        $sequence_8 = { 493bd0 490f42d0 488d0d9c050400 e8???????? 488b0d???????? 48898c2488000000 }
            // n = 6, score = 100
            //   493bd0               | lea                 ecx, [edi + 4]
            //   490f42d0             | dec                 eax
            //   488d0d9c050400       | mov                 dword ptr [esp + 0x20], edi
            //   e8????????           |                     
            //   488b0d????????       |                     
            //   48898c2488000000     | inc                 ecx

        $sequence_9 = { 450fb6f0 488bf2 4863d9 4584c0 740d 488d0d665f0400 ff15???????? }
            // n = 7, score = 100
            //   450fb6f0             | dec                 eax
            //   488bf2               | arpl                cx, ax
            //   4863d9               | dec                 esp
            //   4584c0               | lea                 esi, [0x1c64a]
            //   740d                 | test                ecx, ecx
            //   488d0d665f0400       | js                  0xd23
            //   ff15????????         |                     

    condition:
        7 of them and filesize < 4667392
}
Download all Yara Rules