S0169: RawPOS
Analyst context for executives and security teams
RawPOS matters because it is malware focused on finding cardholder data in point-of-sale environments, specifically on Windows systems. For business leaders, the risk is not just malware presence; it is the possibility that payment operations, customer trust, incident reporting, and cardholder-data control evidence may all depend on whether POS endpoints are monitored well enough to prove what was accessed, staged, or persisted.
Executive priority
Prioritize RawPOS-style behavior where Windows POS or payment-adjacent systems handle sensitive card data. Executives should ask whether the organization can rapidly answer: which POS hosts run unauthorized services, whether local systems contain exposed cardholder data, whether collected data was staged or archived, and whether SOC/IR teams have endpoint evidence from payment environments. This is especially material for sectors reflected in the relationship context, including restaurant, gaming, and hotel environments targeted by FIN5.
Technical view
ATT&CK does not provide a specific detection entry for RawPOS, so validation should be built from the official description and relationships. Defenders should focus on Windows POS endpoints for evidence of memory scraping or local searching for cardholder data, unauthorized or suspicious Windows services, masqueraded task or service names, local staging directories or files, and custom archiving behavior. The FIENDCRY component is described as scanning process memory for regular expressions, while DUEBREW is a launcher and DRIFTWOOD is a Perl2Exe compiled Perl script used after data of interest is identified; these details support hunting for unusual process memory access, compiled script-like binaries, and staged sensitive-data artifacts without assuming a single indicator set.
Likely telemetry
- Windows endpoint process execution and command-line telemetry from POS systems
- Windows service creation, modification, service name, display name, and executable path data
- Registry telemetry related to Windows service configuration
- File creation, file modification, and directory monitoring for local staging locations
- Endpoint alerts or forensic evidence of unusual process memory access on POS hosts
Detection direction
- Validate that payment/POS endpoints are actually covered by EDR, logging, and retention; these systems are often operationally sensitive and may have monitoring gaps.
- Tune detections for newly created or modified Windows services, especially services with misleading names, unexpected executable paths, or names similar to legitimate services.
- Hunt for collection patterns tied to Data from Local System and Local Data Staging: local file searches, staged output files, and movement of collected data into central directories on the host.
- Review process behavior for memory scraping indicators on POS systems, while accounting for legitimate payment software that may access sensitive processes.
- Look for custom archive or encryption artifacts before exfiltration; absence of standard archiving utilities should not be treated as absence of staging.
Mitigation priorities
- Reduce cardholder-data exposure on local POS systems and confirm whether sensitive data is stored or present in process memory longer than operationally required.
- Harden Windows POS endpoints by restricting who can create or modify services and by baselining approved service names, paths, and binaries.
- Segment and closely monitor POS/payment environments so endpoint collection, staging, and persistence behavior is visible to the SOC.
- Maintain tested incident response procedures for payment environments, including forensic acquisition, service review, staged-data review, and evidence preservation.
- Use allowlisting or equivalent execution control where operationally feasible for fixed-function POS systems.
Analyst notes and limits
This take is based on the ATT&CK RawPOS software object, its official description, external references, and relationships. The strongest decision value comes from connecting the malware’s stated focus on cardholder data with the related techniques: Data from Local System, Masquerade Task or Service, Local Data Staging, Windows Service, and Archive via Custom Method. The FIN5 relationship provides useful sector and motivation context but should not be used alone for incident attribution.
ATT&CK provides no official detection text, no explicit tactic list for the malware object, and no current activity claim. The supplied platform is Windows, but several related techniques list broader platforms; this take applies RawPOS validation primarily to Windows POS/payment systems because that is the supported malware platform. Local environment baselines, asset inventory, and forensic evidence are required to determine exposure or compromise.
RawPOS
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | New services created by RawPOS are made to appear like legitimate Windows services, with names such as "Windows Management Help Service", "Microsoft Support", and "Windows Advanced Task Manager".CitationKroll RawPOS Jan 2017CitationTrendMicro RawPOS April 2015CitationMandiant FIN5 GrrCON Oct 2016 |
| Enterprise | T1560.003 | Archive via Custom Method Sub-technique | RawPOS encodes credit card data it collected from the victim with XOR.CitationTrendMicro RawPOS April 2015CitationMandiant FIN5 GrrCON Oct 2016CitationVisa RawPOS March 2015 |
| Enterprise | T1005 | Data from Local System | RawPOS dumps memory from specific processes on a victim system, parses the dumped files, and scrapes them for credit card data.CitationKroll RawPOS Jan 2017CitationTrendMicro RawPOS April 2015CitationMandiant FIN5 GrrCON Oct 2016 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | Data captured by RawPOS is placed in a temporary file under a directory named "memdump".CitationKroll RawPOS Jan 2017 |
| Enterprise | T1543.003 | Windows Service Sub-technique | RawPOS installs itself as a service to maintain persistence.CitationKroll RawPOS Jan 2017CitationTrendMicro RawPOS April 2015CitationMandiant FIN5 GrrCON Oct 2016 |
Groups, software, and campaigns
G0053: FIN5
FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian. [1] [2] [3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 4605b5b907a8… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Kroll RawPOS Jan 2017
Nesbit, B. and Ackerman, D. (2017, January). Malware Analysis Report - RawPOS Malware: Deconstructing an Intruder’s Toolkit. Retrieved October 4, 2017.
Open source URL -
[2]
TrendMicro RawPOS April 2015
TrendLabs Security Intelligence Blog. (2015, April). RawPOS Technical Brief. Retrieved October 4, 2017.
Open source URL -
[3]
Visa RawPOS March 2015
Visa. (2015, March). Visa Security Alert: "RawPOS" Malware Targeting Lodging Merchants. Retrieved October 6, 2017.
Open source URL -
[4]
Mandiant FIN5 GrrCON Oct 2016
Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
Open source URL -
[5]
DarkReading FireEye FIN5 Oct 2015
Higgins, K. (2015, October 13). Prolific Cybercrime Gang Favors Legit Login Credentials. Retrieved October 4, 2017.
Open source URL -
[6]
DRIFTWOOD
The DRIFTWOOD component is a Perl2Exe compiled Perl script used by G0053 after they have identified data of interest on victims. (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: DarkReading FireEye FIN5 Oct 2015)
-
[7]
DUEBREW
The DUEBREW component is a Perl2Exe binary launcher. (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: DarkReading FireEye FIN5 Oct 2015)
-
[8]
FIENDCRY
The FIENDCRY component is a memory scraper based on MemPDump that scans through process memory looking for regular expressions. Its stage 1 component scans all processes, and its stage 2 component targets a specific process of interest. (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: Github Mempdump) (Citation: DarkReading FireEye FIN5 Oct 2015)
-
[9]
Github Mempdump
DiabloHorn. (2015, March 22). mempdump. Retrieved October 6, 2017.
Open source URL -
[10]
RawPOS
(Citation: Kroll RawPOS Jan 2017) (Citation: TrendMicro RawPOS April 2015) (Citation: DarkReading FireEye FIN5 Oct 2015)
-
[11]
mitre-attack S0169Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.