PILLOWMINT

PILLOWMINT is classified as a PoS (Point-of-Sale) malware that is designed to collect credit card data from the compromised devices. The threat can obtain both Track and Track 2 data. Track 1 consists of the cardholder name, account number (PAN), expiration date, bank ID, and other details used by the issuing bank to validate the received data. Track 2 contains all of the same data just without the cardholder name.

Infosec researchers have attributed the PILLOWMINT threat to the financially motivated threat actor known as the FIN7 group (also tracked as Carbanak). FIN7's operations are mostly targeted at the hospitality, health, and restaurant sectors.

Technical Details

PILLOWMINT is delivered to the targeted systems via a corrupted shim database. This technique also acts as a persistence mechanism for the threat. Shim databases are part of the Windows Application Compatibility Framework, which was created by Microsoft to allow legacy Windows applications to work optimally on newer Windows versions.

Once initiated, the malware begins logging its own activity and writing it in a file named 'log.log' that is dropped in either '%WinDir%\System32\MUI' or '%WinDir%\System32\Sysvols' depending on the exact version of the threat. PILLOWMINT supports 8 different levels of logging. At level 0 no logging takes place, while each progressive level above it includes more and more details. Levels 6, 7, and 8 are not used.

The threatening capabilities of the malware include a memory scraper that obtains the targeted credit card details and a process list updater that activates every 6 seconds and goes through the currently running processes. Older PILLOWMINT versions also have a holdover process command thread. This functionality appears to be a remnant from earlier incarnations of the threat. Only two commands are recognized - terminate its malware processes and simulate its own crash.

It should be noted that PILLOWMINT doesn't exfiltrate the harvested data. In this attack operation, it is assumed that the threat actor has already achieved full control over the targeted devices and the information will be transmitted via other threatening tools.