SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pillowmint (Back to overview)

PILLOWMINT

Actor(s): Anunak

According to FireEye, PILLOWMINT is a Point-of-Sale malware tool used to scrape track 1 and track 2 payment card data from memory.
Scraped payment card data is encrypted and stored in the registry and as plaintext in a file (T1074: Data Staged)
Contains additional backdoor capabilities including:
Running processes
Downloading and executing files (T1105: Remote File Copy)
Downloading and injecting DLLs (T1055: Process Injection)
Communicates with a command and control (C2) server over HTTP using AES encrypted messages
(T1071: Standard Application Layer Protocol)
(T1032: Standard Cryptographic Protocol)

References
2022-05-22cocomelonccocomelonc
@online{cocomelonc:20220522:malware:b0a0669, author = {cocomelonc}, title = {{Malware development trick - part 29: Store binary data in registry. Simple C++ example.}}, date = {2022-05-22}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2023/05/22/malware-tricks-29.html}, language = {English}, urldate = {2023-05-23} } Malware development trick - part 29: Store binary data in registry. Simple C++ example.
Turla RAT PILLOWMINT PipeMon
2021-08-30CrowdStrikeEric Loui, Josh Reynolds
@online{loui:20210830:carbon:66be3f3, author = {Eric Loui and Josh Reynolds}, title = {{CARBON SPIDER Embraces Big Game Hunting, Part 1}}, date = {2021-08-30}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/}, language = {English}, urldate = {2021-08-31} } CARBON SPIDER Embraces Big Game Hunting, Part 1
Bateleur Griffon Carbanak DarkSide JSSLoader PILLOWMINT REvil
2020-06-22TrustwaveRodel Mendrez
@online{mendrez:20200622:pillowmint:c696f56, author = {Rodel Mendrez}, title = {{Pillowmint: FIN7’s Monkey Thief}}, date = {2020-06-22}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/}, language = {English}, urldate = {2020-06-24} } Pillowmint: FIN7’s Monkey Thief
PILLOWMINT
2018-10-01FireEyeRegina Elwell, Katie Nickels
@techreport{elwell:20181001:attcking:3c6d888, author = {Regina Elwell and Katie Nickels}, title = {{ATT&CKing FIN7}}, date = {2018-10-01}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf}, language = {English}, urldate = {2020-06-25} } ATT&CKing FIN7
Bateleur BELLHOP Griffon ANTAK POWERPIPE POWERSOURCE HALFBAKED BABYMETAL Carbanak Cobalt Strike DNSMessenger DRIFTPIN PILLOWMINT SocksBot
Yara Rules
[TLP:WHITE] win_pillowmint_auto (20230715 | Detects win.pillowmint.)
rule win_pillowmint_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.pillowmint."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pillowmint"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? b001 eb43 48837de710 720a 488b4dcf }
            // n = 6, score = 100
            //   e8????????           |                     
            //   b001                 | dec                 eax
            //   eb43                 | mov                 ecx, dword ptr [esp + 0x50]
            //   48837de710           | dec                 ecx
            //   720a                 | mov                 dword ptr [esi], ecx
            //   488b4dcf             | je                  0x46b

        $sequence_1 = { 488bcb 488905???????? ff15???????? 488d159f970100 483305???????? 488bcb 488905???????? }
            // n = 7, score = 100
            //   488bcb               | add                 byte ptr [eax], al
            //   488905????????       |                     
            //   ff15????????         |                     
            //   488d159f970100       | nop                 dword ptr [eax]
            //   483305????????       |                     
            //   488bcb               | nop                 word ptr [eax + eax]
            //   488905????????       |                     

        $sequence_2 = { 8bf9 0f8586000000 488bca e8???????? 4c8d0da8df0200 4c8d1db1ff0200 4c63d0 }
            // n = 7, score = 100
            //   8bf9                 | dec                 eax
            //   0f8586000000         | dec                 ebx
            //   488bca               | dec                 eax
            //   e8????????           |                     
            //   4c8d0da8df0200       | div                 ebp
            //   4c8d1db1ff0200       | cmp                 dl, 0xa
            //   4c63d0               | dec                 eax

        $sequence_3 = { 5f 5e 5b c3 488d0dd93f0300 e8???????? }
            // n = 6, score = 100
            //   5f                   | lea                 edi, [edi + 4]
            //   5e                   | dec                 eax
            //   5b                   | lea                 edx, [0x1385d]
            //   c3                   | dec                 eax
            //   488d0dd93f0300       | lea                 ecx, [esp + 0x30]
            //   e8????????           |                     

        $sequence_4 = { 488d4c2460 e8???????? 90 488d0d4e280400 ff15???????? }
            // n = 5, score = 100
            //   488d4c2460           | sar                 eax, 5
            //   e8????????           |                     
            //   90                   | dec                 eax
            //   488d0d4e280400       | cmp                 eax, 1
            //   ff15????????         |                     

        $sequence_5 = { c705????????01000000 b808000000 486bc000 488d0d42e30200 48c7040102000000 b808000000 486bc000 }
            // n = 7, score = 100
            //   c705????????01000000     |     
            //   b808000000           | lea                 edx, [0x16026]
            //   486bc000             | dec                 eax
            //   488d0d42e30200       | lea                 ecx, [0x15ff7]
            //   48c7040102000000     | test                eax, eax
            //   b808000000           | jne                 0x107
            //   486bc000             | dec                 eax

        $sequence_6 = { 488bf9 e8???????? 488d05bcf10200 488907 488d05caf10200 0f104318 488b5c2430 }
            // n = 7, score = 100
            //   488bf9               | cmp                 byte ptr [esi + 0x18], 1
            //   e8????????           |                     
            //   488d05bcf10200       | jne                 0x1a0
            //   488907               | dec                 eax
            //   488d05caf10200       | cmp                 edi, dword ptr [eax + 8]
            //   0f104318             | je                  0x195
            //   488b5c2430           | inc                 ecx

        $sequence_7 = { 754d 33d2 41b800800000 488bcb ff15???????? 8b05???????? 33c9 }
            // n = 7, score = 100
            //   754d                 | dec                 eax
            //   33d2                 | mov                 ecx, dword ptr [ebp - 0x40]
            //   41b800800000         | dec                 eax
            //   488bcb               | mov                 dword ptr [ebp - 0x28], 0xf
            //   ff15????????         |                     
            //   8b05????????         |                     
            //   33c9                 | dec                 esp

        $sequence_8 = { 488bf9 4c8bca 4c8d0505650300 488d4c2430 8d5340 895c2420 e8???????? }
            // n = 7, score = 100
            //   488bf9               | inc                 ecx
            //   4c8bca               | mov                 byte ptr [eax + 8], al
            //   4c8d0505650300       | mov                 al, dl
            //   488d4c2430           | shl                 dl, 2
            //   8d5340               | add                 al, dl
            //   895c2420             | add                 al, al
            //   e8????????           |                     

        $sequence_9 = { 33c9 ff15???????? 488bc8 e8???????? 90 4883bc24f800000010 720d }
            // n = 7, score = 100
            //   33c9                 | dec                 eax
            //   ff15????????         |                     
            //   488bc8               | mov                 ecx, ebx
            //   e8????????           |                     
            //   90                   | test                eax, eax
            //   4883bc24f800000010     | je    0x8b4
            //   720d                 | dec                 eax

    condition:
        7 of them and filesize < 4667392
}
Download all Yara Rules