Pillowmint – FIN7’s Point-of-Sale Trojan
Pillowmint malware is a point-of-sale trojan targeting Track 1 and Track 2 credit card data. Over the past few years threat actors named FIN7, also known as Carbanak group, have been targeting the hospitality and restaurant industry for financial gains.
The malware is installed using the windows native binary sdbinst.exe, which is used to install Shim databases to help run legacy applications on newer Windows operating systems. Once the malicious shim database is registered, the database is added to the shim database path: “%windir%\AppPatch\Custom\Custom64\{GUID.sdb}” and to Window’s Application Compatibility Program Inventory, and a registry key “HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\services.exe Value Name: {GUID}.sdb” is created.
The shim database contains “Patch Bits” which would normally be used for the legacy support; however the threat actors have crafted custom malicious patch code to target a specific service and Windows API functions. When the “Patched” service executes the function, it runs the shell code, which then decompresses the malicious payload and allocates it into the parent process’s memory space. Pillowmint has been seen injecting its code into svchost.exe.
The capabilities of Pillowmint include:
- Verbose Logging (8 different levels)
- Memory Scraper which utilizes Windows API calls
- OpenProcess() and ReadProcessMemory() to read and capture the credit card data
- Update Process List which is used to update the running process list for the malware to capture on
- Process Commands which only has 2 commands of “s or S” to stop the malware or “crash”, to crash the process.
Pillowmint does not exfiltrate the stolen credit cards, instead it encrypts the data and moves it to a different location for collection later.
Sources: