SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pillowmint (Back to overview)

PILLOWMINT

Actor(s): Anunak


According to FireEye, PILLOWMINT is a Point-of-Sale malware tool used to scrape track 1 and track 2 payment card data from memory.
Scraped payment card data is encrypted and stored in the registry and as plaintext in a file (T1074: Data Staged)
Contains additional backdoor capabilities including:
Running processes
Downloading and executing files (T1105: Remote File Copy)
Downloading and injecting DLLs (T1055: Process Injection)
Communicates with a command and control (C2) server over HTTP using AES encrypted messages
(T1071: Standard Application Layer Protocol)
(T1032: Standard Cryptographic Protocol)

References
2020-06-22TrustwaveRodel Mendrez
@online{mendrez:20200622:pillowmint:c696f56, author = {Rodel Mendrez}, title = {{Pillowmint: FIN7’s Monkey Thief}}, date = {2020-06-22}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/}, language = {English}, urldate = {2020-06-24} } Pillowmint: FIN7’s Monkey Thief
PILLOWMINT
2018-10-01FireEyeRegina Elwell, Katie Nickels
@techreport{elwell:20181001:attcking:3c6d888, author = {Regina Elwell and Katie Nickels}, title = {{ATT&CKing FIN7}}, date = {2018-10-01}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf}, language = {English}, urldate = {2020-06-25} } ATT&CKing FIN7
Bateleur BELLHOP Griffon ANTAK POWERPIPE POWERSOURCE HALFBAKED BABYMETAL Carbanak Cobalt Strike DNSMessenger DRIFTPIN PILLOWMINT SocksBot
Yara Rules
[TLP:WHITE] win_pillowmint_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_pillowmint_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pillowmint"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 3d040000c0 754d 33d2 41b800800000 488bcb ff15???????? 8b05???????? }
            // n = 7, score = 100
            //   3d040000c0           | dec                 eax
            //   754d                 | mov                 ecx, dword ptr [esp + 0x38]
            //   33d2                 | dec                 eax
            //   41b800800000         | xor                 ecx, esp
            //   488bcb               | dec                 eax
            //   ff15????????         |                     
            //   8b05????????         |                     

        $sequence_1 = { 498bd4 48833d????????10 480f4315???????? 488d8db8010000 e8???????? 4885c0 488b85a0010000 }
            // n = 7, score = 100
            //   498bd4               | je                  0xc68
            //   48833d????????10     |                     
            //   480f4315????????     |                     
            //   488d8db8010000       | cmp                 ecx, dword ptr [ebx + 0x20]
            //   e8????????           |                     
            //   4885c0               | dec                 eax
            //   488b85a0010000       | mov                 ebx, eax

        $sequence_2 = { 488b742438 448be0 4885f6 0f8427010000 4c8b742430 6690 ba52831e00 }
            // n = 7, score = 100
            //   488b742438           | lea                 edx, [0x2af44]
            //   448be0               | dec                 eax
            //   4885f6               | mov                 ecx, esi
            //   0f8427010000         | dec                 eax
            //   4c8b742430           | mov                 edx, esi
            //   6690                 | inc                 ecx
            //   ba52831e00           | mov                 eax, 7

        $sequence_3 = { 90 488d0d4e280400 ff15???????? 833d????????01 0f8c8d030000 48c745c80f000000 }
            // n = 6, score = 100
            //   90                   | mov                 eax, edi
            //   488d0d4e280400       | jmp                 0x8b6
            //   ff15????????         |                     
            //   833d????????01       |                     
            //   0f8c8d030000         | dec                 ecx
            //   48c745c80f000000     | or                  eax, 0xffffffff

        $sequence_4 = { 4885c0 488b8580000000 48634804 488d8c0d80000000 7512 }
            // n = 5, score = 100
            //   4885c0               | dec                 eax
            //   488b8580000000       | mov                 dword ptr [ebp - 0x40], 0xf
            //   48634804             | dec                 eax
            //   488d8c0d80000000     | mov                 dword ptr [ebp - 0x48], edi
            //   7512                 | inc                 eax

        $sequence_5 = { ff15???????? 833d????????05 0f8c9c050000 48c78424680300000f000000 4889bc2460030000 c684245003000000 }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   833d????????05       |                     
            //   0f8c9c050000         | dec                 eax
            //   48c78424680300000f000000     | lea    ecx, [ebp - 0x80]
            //   4889bc2460030000     | nop                 
            //   c684245003000000     | nop                 

        $sequence_6 = { 6690 4c8bfb 488d5320 488b7210 48837a1810 7203 488b12 }
            // n = 7, score = 100
            //   6690                 | lea                 ecx, [esp + 0x60]
            //   4c8bfb               | nop                 
            //   488d5320             | dec                 eax
            //   488b7210             | lea                 ecx, [0x3b376]
            //   48837a1810           | jl                  0x12cd
            //   7203                 | dec                 eax
            //   488b12               | lea                 ecx, [esp + 0x60]

        $sequence_7 = { 490304c9 488d0d87e40200 eb0a 488d0d7ee40200 488bc1 f640387f 7524 }
            // n = 7, score = 100
            //   490304c9             | lea                 eax, [0x3580e]
            //   488d0d87e40200       | dec                 eax
            //   eb0a                 | mov                 dword ptr [edx + ecx - 0x18], eax
            //   488d0d7ee40200       | dec                 eax
            //   488bc1               | mov                 eax, dword ptr [ecx - 0x18]
            //   f640387f             | dec                 eax
            //   7524                 | mov                 eax, dword ptr [ecx + 0xf0]

        $sequence_8 = { 4883bdb800000010 720c 488b8da0000000 e8???????? 4c89bdb8000000 48899db0000000 c685a000000000 }
            // n = 7, score = 100
            //   4883bdb800000010     | dec                 ecx
            //   720c                 | bt                  edx, eax
            //   488b8da0000000       | nop                 dword ptr [eax]
            //   e8????????           |                     
            //   4c89bdb8000000       | dec                 eax
            //   48899db0000000       | cmp                 ecx, dword ptr [edx]
            //   c685a000000000       | jne                 0xb0b

        $sequence_9 = { e9???????? 4c8d358e230200 488b0d???????? eb7b 4c8d3576230200 488b0d???????? }
            // n = 6, score = 100
            //   e9????????           |                     
            //   4c8d358e230200       | dec                 eax
            //   488b0d????????       |                     
            //   eb7b                 | lea                 eax, [0xfffdbd41]
            //   4c8d3576230200       | dec                 edx
            //   488b0d????????       |                     

    condition:
        7 of them and filesize < 4667392
}
Download all Yara Rules