SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pillowmint (Back to overview)

PILLOWMINT

Actor(s): Anunak


According to FireEye, PILLOWMINT is a Point-of-Sale malware tool used to scrape track 1 and track 2 payment card data from memory.
Scraped payment card data is encrypted and stored in the registry and as plaintext in a file (T1074: Data Staged)
Contains additional backdoor capabilities including:
Running processes
Downloading and executing files (T1105: Remote File Copy)
Downloading and injecting DLLs (T1055: Process Injection)
Communicates with a command and control (C2) server over HTTP using AES encrypted messages
(T1071: Standard Application Layer Protocol)
(T1032: Standard Cryptographic Protocol)

References
2021-08-30CrowdStrikeEric Loui, Josh Reynolds
@online{loui:20210830:carbon:66be3f3, author = {Eric Loui and Josh Reynolds}, title = {{CARBON SPIDER Embraces Big Game Hunting, Part 1}}, date = {2021-08-30}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/}, language = {English}, urldate = {2021-08-31} } CARBON SPIDER Embraces Big Game Hunting, Part 1
Bateleur Griffon Carbanak DarkSide JSSLoader PILLOWMINT REvil
2020-06-22TrustwaveRodel Mendrez
@online{mendrez:20200622:pillowmint:c696f56, author = {Rodel Mendrez}, title = {{Pillowmint: FIN7’s Monkey Thief}}, date = {2020-06-22}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/}, language = {English}, urldate = {2020-06-24} } Pillowmint: FIN7’s Monkey Thief
PILLOWMINT
2018-10-01FireEyeRegina Elwell, Katie Nickels
@techreport{elwell:20181001:attcking:3c6d888, author = {Regina Elwell and Katie Nickels}, title = {{ATT&CKing FIN7}}, date = {2018-10-01}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf}, language = {English}, urldate = {2020-06-25} } ATT&CKing FIN7
Bateleur BELLHOP Griffon ANTAK POWERPIPE POWERSOURCE HALFBAKED BABYMETAL Carbanak Cobalt Strike DNSMessenger DRIFTPIN PILLOWMINT SocksBot
Yara Rules
[TLP:WHITE] win_pillowmint_auto (20210616 | Detects win.pillowmint.)
rule win_pillowmint_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.pillowmint."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pillowmint"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 4883bde800000000 7449 488d5508 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   4883bde800000000     | jb                  0x75
            //   7449                 | dec                 eax
            //   488d5508             | mov                 ecx, dword ptr [ebp - 0x70]

        $sequence_1 = { c605????????00 488d0d166f0200 e8???????? 488d1d9a992200 48833d????????00 753d }
            // n = 6, score = 100
            //   c605????????00       |                     
            //   488d0d166f0200       | dec                 ecx
            //   e8????????           |                     
            //   488d1d9a992200       | sar                 esi, 2
            //   48833d????????00     |                     
            //   753d                 | dec                 ecx

        $sequence_2 = { 4533c0 488d542460 488d4db0 e8???????? 803d????????00 0f846e010000 33d2 }
            // n = 7, score = 100
            //   4533c0               | dec                 eax
            //   488d542460           | lea                 ecx, dword ptr [esp + 0x50]
            //   488d4db0             | nop                 
            //   e8????????           |                     
            //   803d????????00       |                     
            //   0f846e010000         | nop                 
            //   33d2                 | dec                 esp

        $sequence_3 = { 803d????????00 0f84a4010000 33d2 41b818010000 488d8c2430010000 e8???????? }
            // n = 6, score = 100
            //   803d????????00       |                     
            //   0f84a4010000         | dec                 eax
            //   33d2                 | mov                 dword ptr [ebp + 0x88], eax
            //   41b818010000         | dec                 eax
            //   488d8c2430010000     | lea                 ecx, dword ptr [ebp + 0x88]
            //   e8????????           |                     

        $sequence_4 = { 488d15ad7d0200 488d4d9f e8???????? 90 41b001 488d559f 8d4b02 }
            // n = 7, score = 100
            //   488d15ad7d0200       | jne                 0x42f
            //   488d4d9f             | inc                 ecx
            //   e8????????           |                     
            //   90                   | or                  ah, 8
            //   41b001               | dec                 eax
            //   488d559f             | mov                 edx, dword ptr [ebp - 0x19]
            //   8d4b02               | mov                 ecx, dword ptr [ebx]

        $sequence_5 = { 803800 7505 4d8bc5 eb12 4c8bc3 0f1f440000 49ffc0 }
            // n = 7, score = 100
            //   803800               | jb                  0xbd
            //   7505                 | dec                 eax
            //   4d8bc5               | mov                 ecx, dword ptr [ebp - 1]
            //   eb12                 | dec                 eax
            //   4c8bc3               | mov                 ebx, eax
            //   0f1f440000           | dec                 esp
            //   49ffc0               | lea                 eax, dword ptr [ebp + 0xa0]

        $sequence_6 = { 488b1d???????? e8???????? 488d15652a2000 488d4c2430 e8???????? 488d4c2430 e8???????? }
            // n = 7, score = 100
            //   488b1d????????       |                     
            //   e8????????           |                     
            //   488d15652a2000       | mov                 byte ptr [edi], dl
            //   488d4c2430           | dec                 eax
            //   e8????????           |                     
            //   488d4c2430           | test                eax, eax
            //   e8????????           |                     

        $sequence_7 = { 4a3b0ccb 740d 49ffc1 4c3bca 72f2 e9???????? }
            // n = 6, score = 100
            //   4a3b0ccb             | dec                 eax
            //   740d                 | add                 esp, 0x20
            //   49ffc1               | pop                 edi
            //   4c3bca               | dec                 eax
            //   72f2                 | mov                 ebx, dword ptr [esp + 0x30]
            //   e9????????           |                     

        $sequence_8 = { 3b0d???????? 7326 4863c9 488d15f8e00100 488bc1 83e11f }
            // n = 6, score = 100
            //   3b0d????????         |                     
            //   7326                 | xor                 edx, edx
            //   4863c9               | inc                 ecx
            //   488d15f8e00100       | mov                 eax, 0x234
            //   488bc1               | dec                 eax
            //   83e11f               | lea                 ecx, dword ptr [esp + 0x114]

        $sequence_9 = { 723e 488d4c2430 48895c2420 488b1d???????? e8???????? 488d15ad440100 488d4c2430 }
            // n = 7, score = 100
            //   723e                 | dec                 eax
            //   488d4c2430           | lea                 ecx, dword ptr [esp + 0x30]
            //   48895c2420           | dec                 eax
            //   488b1d????????       |                     
            //   e8????????           |                     
            //   488d15ad440100       | lea                 ecx, dword ptr [esp + 0x30]
            //   488d4c2430           | dec                 eax

    condition:
        7 of them and filesize < 4667392
}
Download all Yara Rules