Home > List all groups > List all tools > List all groups using tool TinyPOS

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: TinyPOS

TypePOS malware, Backdoor, Info stealer
Description(Forcepoint) It all starts with the delivery of a small loader called TinyLoader, an obfuscated executable withsimple -yet powerful- downloader functionality. Upon execution, it will first brute force its own decryption key (a 32-bit value, meaning this takes a fraction of second on modern PCs) before using this to decrypt the main program code.

Code-wise the POS component is very similar to the loader, except there is no additional encryption, as whenever it is delivered the operators are almost certain -due to the pre-filtering above- that a valuable target has been identified.
This component works like any other POS memory scraper: opening processes based on either a predefined black or whitelist of process names, creating a new thread for each matching one and scanning their full memory range for Track 1 and Track 2 credit card data. If such data is found, first it will be verified by the Luhn algorithm for integrity, then it will be encrypted by a pre-defined key (another 32 or 64-bit value stored in the POS binary itself) and either sent to yet another C2 identified, again, by IP/port combination or it will be saved locally.
AlienVault OTX<>

Last change to this tool card: 25 May 2020

Download this tool card in JSON format

Previous: TinyNuke
Next: TinyPosh

All groups using tool TinyPOS


APT groups

 Tiny Spider[Unknown]2015-2017 

1 group listed (1 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
PGP Download PGP key