From eb9a49df815ada8bdb54975a52b07d8aefb3c08b Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Tue, 19 Dec 2017 12:17:42 +0100
Subject: [PATCH] add GratefulPOS

---
 clusters/banker.json | 11 ++++++++++-
 clusters/tool.json   | 11 ++++++++++-
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/clusters/banker.json b/clusters/banker.json
index 8caacc7..7a5810c 100644
--- a/clusters/banker.json
+++ b/clusters/banker.json
@@ -484,9 +484,18 @@
       },
       "description": "According to X-Force research, the new banking Trojan emerged in the wild in September 2017, when its first test campaigns were launched. Our researchers noted that IcedID has a modular malicious code with modern banking Trojan capabilities comparable to malware such as the Zeus Trojan. At this time, the malware targets banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites in the U.S. Two major banks in the U.K. are also on the target list the malware fetches.",
       "value": "IcedID"
+    },
+    {
+      "value": "GratefulPOS",
+      "description": "GratefulPOS has the following functions\n1. Access arbitrary processes on the target POS system\n2. Scrape track 1 and 2 payment card data from the process(es)\n3. Exfiltrate the payment card data via lengthy encoded and obfuscated DNS queries to a hardcoded domain registered and controlled by the perpetrators, similar to that described by Paul Rascagneres in his analysis of FrameworkPOS in 2014[iii], and more recently by Luis Mendieta of Anomoli in analysis of a precursor to this sample.",
+      "meta": {
+        "refs": [
+          "https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season"
+        ]
+      }
     }
   ],
-  "version": 4,
+  "version": 5,
   "uuid": "59f20cce-5420-4084-afd5-0884c0a83832",
   "description": "A list of banker malware.",
   "authors": [
diff --git a/clusters/tool.json b/clusters/tool.json
index 6196580..dce592e 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -10,7 +10,7 @@
   ],
   "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
   "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
-  "version": 43,
+  "version": 44,
   "values": [
     {
       "meta": {
@@ -3160,6 +3160,15 @@
           "OSX/Pirrit"
         ]
       }
+    },
+    {
+      "value": "GratefulPOS",
+      "description": "GratefulPOS has the following functions\n1. Access arbitrary processes on the target POS system\n2. Scrape track 1 and 2 payment card data from the process(es)\n3. Exfiltrate the payment card data via lengthy encoded and obfuscated DNS queries to a hardcoded domain registered and controlled by the perpetrators, similar to that described by Paul Rascagneres in his analysis of FrameworkPOS in 2014[iii], and more recently by Luis Mendieta of Anomoli in analysis of a precursor to this sample.",
+      "meta": {
+        "refs": [
+          "https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season"
+        ]
+      }
     }
   ]
 }