add GratefulPOS

2017-12-19 12:17:42 +01:00 · 2017-12-19 12:17:42 +01:00 · eb9a49df81
parent a9e5cff50f
commit eb9a49df81
2 changed files with 20 additions and 2 deletions
--- a/clusters/banker.json
+++ b/clusters/banker.json
@ -484,9 +484,18 @@
      },
      "description": "According to X-Force research, the new banking Trojan emerged in the wild in September 2017, when its first test campaigns were launched. Our researchers noted that IcedID has a modular malicious code with modern banking Trojan capabilities comparable to malware such as the Zeus Trojan. At this time, the malware targets banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites in the U.S. Two major banks in the U.K. are also on the target list the malware fetches.",
      "value": "IcedID"
+    },
+    {
+      "value": "GratefulPOS",
+      "description": "GratefulPOS has the following functions\n1. Access arbitrary processes on the target POS system\n2. Scrape track 1 and 2 payment card data from the process(es)\n3. Exfiltrate the payment card data via lengthy encoded and obfuscated DNS queries to a hardcoded domain registered and controlled by the perpetrators, similar to that described by Paul Rascagneres in his analysis of FrameworkPOS in 2014[iii], and more recently by Luis Mendieta of Anomoli in analysis of a precursor to this sample.",
+      "meta": {
+        "refs": [
+          "https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season"
+        ]
+      }
    }
  ],
-  "version": 4,
+  "version": 5,
  "uuid": "59f20cce-5420-4084-afd5-0884c0a83832",
  "description": "A list of banker malware.",
  "authors": [
--- a/clusters/tool.json
+++ b/clusters/tool.json
@ -10,7 +10,7 @@
  ],
  "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
  "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
-  "version": 43,
+  "version": 44,
  "values": [
    {
      "meta": {
@ -3160,6 +3160,15 @@
          "OSX/Pirrit"
        ]
      }
+    },
+    {
+      "value": "GratefulPOS",
+      "description": "GratefulPOS has the following functions\n1. Access arbitrary processes on the target POS system\n2. Scrape track 1 and 2 payment card data from the process(es)\n3. Exfiltrate the payment card data via lengthy encoded and obfuscated DNS queries to a hardcoded domain registered and controlled by the perpetrators, similar to that described by Paul Rascagneres in his analysis of FrameworkPOS in 2014[iii], and more recently by Luis Mendieta of Anomoli in analysis of a precursor to this sample.",
+      "meta": {
+        "refs": [
+          "https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season"
+        ]
+      }
    }
  ]
 }