{ "id": "278a9ca2-7f96-4f90-9fde-906b89f2ee1e", "created_at": "2026-04-06T01:30:37.177683Z", "updated_at": "2026-04-10T03:36:37.189857Z", "deleted_at": null, "sha1_hash": "5d18e498ed688aa7e38da271bb50c5916d192b5e", "title": "Operation SyncTrek", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2160089, "plain_text": "Operation SyncTrek\r\nBy S2W\r\nPublished: 2021-02-17 · Archived: 2026-04-06 00:44:41 UTC\r\n19 min read\r\nFeb 15, 2021\r\nDeep Analysis of TinyPos from the Clop Gang’s Crime Scene | S2WLAB Talon\r\nAuthor:\r\n(Sojun Ryu), S2WLAB Talon\r\nThis report is published in collaboration with Theori.\r\n[+] TABLE OF CONTENTS1. Introduction\r\n2. Background Knowledge\r\n3. Summary\r\n4. Analysis of TinyPos\r\n - Analysis and Comparison of TinyPoS installation methods\r\n - Detailed Feature Analysis\r\n - Possibility of Exfiltration\r\n - Possibility of Misuse of Stolen Card Information5. Correlation Analysis\r\n - Clop\r\n - Azorult\r\n - AbaddonPoS \u0026 PinkKite\r\n - TinyLoader\r\n - DoppelPaymer\r\n - ProLock\r\n - Overall Connection6. Conclusion\r\n7. Actionable Items\r\nIntroduction\r\nClop ransomware is well-known enterprise-targeted ransomware that has been active since early 2019. Clop\r\nransomware is an ongoing threat actively attacking the world. TA505, known as the operator of Clop ransomware,\r\nhas been targeting the financial sector since 2014. Many experts and reports from them have asserted that there is\r\na strong correlation between Clop ransomware and the TA505 threat actor.\r\nhttps://medium.com/s2wlab/operation-synctrek-e5013df8d167\r\nPage 1 of 17\n\nBy posting 13 victims as a starter, Clop ransomware has launched a leak site titled “CL0P^_- LEAKS” around\r\nMarch 2020. One of the main purposes of running the leak site is to threat victim companies with their stolen data\r\ncontaining sensitive and confidential information which will be exposed to the public (Dark Web) if ransom\r\nnegotiation fails.\r\nWe have observed that TA505 used TinyPoS malware while performing the Clop ransomware attack during the\r\nrecent incident response. TinyPoS is the malware discovered in 2015 when PoS malware was on its prevalence.\r\nThis malware is a ‘Memory Scraper’ that targets PoS (Point-of-Sale) or ATM in order to steal Track 1 or Track 2\r\ndata from the process memory. TinyPoS exfiltrates stolen data through the network or saves the data as a file, and\r\nthe latter was used in this incident. The adversary continuously attempted to collect the hijacked data after storing\r\nit at the main collection server located inside the victim’s company.\r\nWhile investigating past cases related to TinyPoS, we confirmed additional connections with not only Clop\r\nransomware but DoppelPaymer and ProLock Ransomware. We have evidenced that TinyPoS has been deployed\r\nfrom the servers that were used by DoppelPaymer. Moreover, there is a high similarity between TinyPoS and\r\nProLock when decoding the binary before execution.\r\nThe above examples show that cybercriminals are cooperating somehow and that adversaries targeting the\r\nfinancial sector in the past are continuing to attempt to steal card data. Besides, TinyPoS steadily appears in PoS-related incidents according to the report published by VISA. The report emphasizes that there are still threat actors\r\nattempting to steal card data and it is necessary to review and rebuild our defense line to ensure that we are well\r\nprepared for such attacks. We hope you find this report to be helpful when researching these malware and threat\r\ngroups.\r\nBackground Knowledge\r\nThe card data that PoS malware attempts to steal usually represents Track 1 or Track 2. It is stored in the Magnetic\r\nStripe on the back of the card. It contains important data such as card number, expiration date, and owner’s name.\r\nThe card data that PoS malware attempts to steal usually represents Track 1 or Track 2. It contains important data\r\nsuch as card number, expiration date, and owner’s name. Track 1 includes the card number, owner name,\r\nexpiration date, etc. Track 2 is almost identical to Track 1 data, but the owner’s name is not included. The majority\r\nof credit card payment systems utilize Track 2 data since it only contains the necessary information for\r\ntransactions as well as authentication. Upon leakage, Track 2 data is known to be the most popular data traded at\r\nDeep/Darkweb because it can be utilized to create fake cards.\r\nSummary\r\nTinyPoS is a very small size within 8KB and operates inside memory as assembly or binary form, so it needs a\r\nlauncher and loader to execute it. The adversary used various methods for this, and each method is as follows.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/operation-synctrek-e5013df8d167\r\nPage 2 of 17\n\n[Figure 2] Classification of TinyPos Installation\r\nIn the case of TinyPoS, it steals data from memory in real-time. The adversary periodically executes the malicious\r\ncode using the scheduler. It has been confirmed that the scheduler registration is mainly executed by the command\r\nof the previously inserted remote control malicious code or through a batch file, and the launcher that runs\r\nTinyPoS is composed of Powershell.\r\nTP-Case-1 created a PowerShell script file to run TinyPoS, and TP-Case-2 saved TinyPoS binary data as a file. In\r\nTP-Case-3, TinyPoS was hidden in a file disguised as a regular file. The adversary created all three cases by\r\ndisguised as a commonly used file name or a file name similar to the file being used by the compromised server.\r\nThe executed TinyPoS can read the memory of the specific process that the adversary commanded or access every\r\nmemory of the process that is not stated in the exclusion list in order to search for Track 1 and Track 2. After\r\nverifying the expiration date of the extracted data, the expired data is excluded. After that, only data verified by\r\nthe Luhn algorithm is finally taken.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/operation-synctrek-e5013df8d167\r\nPage 3 of 17\n\n[Figure 3] Overview of TinyPoS’s Code Flow\r\nWe have evidenced some of TinyPoS techniques used by the adversary attempting to target only SQL Server\r\nprocess (sqlservr.exe) for the purpose of stealing data. sqlservr.exe is a well-known process for managing MS-SQL. In this sense, it can be regarded as the adversary’s intention to steal card data from MS-SQL. The Track 1\r\nand 2 stored in the SQL Server database can be stolen from the memory in the following three cases.\r\n1. When Track 1 and 2 data stored in the DB table\r\n2. When Track 1 and 2 data found to be remained in “tempdb” due to the fact that such data processed via DB\r\nprocedure, etc.\r\n3. When the deleted Track 1 and 2 data are reloaded into memory through table lookup ⇒ It can be possible\r\nonly when the metadata of Track data has been removed by deletion query\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/operation-synctrek-e5013df8d167\r\nPage 4 of 17\n\n[Figure 4] How to steal card data from Database\r\nAnalysis of TinyPos\r\nThe adversary installed and removed various types of TinyPoS malware in the victim server. While staying at the\r\nvictim server, the task name and log file path were continuously changed and installed. This allowed us to ingest\r\nfiles that the adversary did not accidentally delete.\r\nThere were 3 cases of TinyPoS installation, but it is possible that there were actually more versions. It was\r\nconfirmed that all cases were registered and operated in the scheduler through batch scripts or commands.\r\nAnalysis and comparison of TinyPoS installation methods\r\n[TP-CASE-1]\r\nTP-CASE-1 TinyPoS was included in PowerShell scripts, and the adversary used it around a year.\r\nBatch Script of TP-Case-1\r\nTasks registered with a batch file execute a PowerShell script file containing TinyPoS every 6 hours. In the log file\r\ngenerated by TinyPoS, the detected Track 1 and 2 data and the detected process name are recorded line by line. It\r\nis initially presumed that the adversary performed the lateral movement and installed each one by one because the\r\nPowershell script file name, log file path, and file creation time were also different for each affected server.\r\nC:\\WINDOWS was mainly used for TinyPoS file creation and log file creation path.\r\nTask data of TP-Case-1\r\nhttps://medium.com/s2wlab/operation-synctrek-e5013df8d167\r\nPage 5 of 17\n\nIn the PowerShell script, the TinyPoS is stored as a byte array data type, and the adversary added and used the\r\nWaitForSingleObject function for synchronization in the “shellcode_injection_expanded.powershell” of social-engineer-toolkit published on GitHub to load it into memory.\r\nPowershell script of TP-Case-1\r\nMost of the scripts contain only the 64bit version of TinyPoS, but some also include the 32bit version. Besides,\r\nthere is a version that searches memory by targeting only the sqlservr.exe process, and all other than this searches\r\nmemory based on the excluded process list.\r\n[TP-CASE-2]\r\nThe second form of TinyPoS is to save as binary as a file. Since detection evasion techniques such as packing or\r\nobfuscation are not applied at all, this form is easy to detect by vaccines, and there is a high probability of being\r\ndetected by engineers. The adversary created a file with the name “readme” disguised as an ordinary file, and it is\r\npresumed that TP-Case-2 was used only for the shortest time due to the risk of detection.\r\nUnlike in TP-Case-1, the working path was changed to C:\\ProgramData, and both 32bit and 64bit versions were\r\nincluded in a single file.\r\nPress enter or click to view image in full size\r\n[Figure 5] TP-Case-2 shellcode\r\n[TP-CASE-3]\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/operation-synctrek-e5013df8d167\r\nPage 6 of 17\n\n[Figure 6] Overview of TP-Case-3 Execution Flow\r\nThe third form is to save the shellcode in an XML file disguised as a scheduler. When a task is registered in the\r\ntask scheduler, a file in the same XML format as the task name is created in the path\r\nC:\\WINDOWS\\System32\\Tasks. Settings related to work are saved in the file. The adversary registers a task that\r\nreads and executes timesync.xml under the name “timesync”.\r\nThe timesync.xml file was created by adding TinyPoS to the XML data related to the timesync task. The\r\ntimesync.xml created by the adversary has the same data as the regular working file when opened with an editor.\r\nSince the added shellcode part is not visible in the form of a string.\r\nLogfile that records the process of registering TP-Case-3 Scheduled Task\r\nIn TP-Case-3, unlike TP-Case-1, TinyPoS is loaded with a script partially modified from DKMC’s “exec-sc.ps1”\r\npublished on Github.\r\nPowershell script of TP-Case-3\r\nAlso, the offset is classified according to whether it is 64bit, and TinyPoS suitable for the target OS is read from\r\ntimesync.xml. There have also been changes in the list of excluded processes. The list of excluded processes from\r\nother TP-Cases is mainly composed of general processes. However, in TP-Case-3, the adversary checked the\r\ncollected data and its source process. After that, unnecessary processes inside the actual target server were\r\nincluded in the list of excluded processes.\r\ntimesync scheduled task\r\ntimesync.xml\r\n[Overall Comparison of TP-Cases]\r\nhttps://medium.com/s2wlab/operation-synctrek-e5013df8d167\r\nPage 7 of 17\n\n[Table 1] Comparison of Characteristics by TinyPos Installation Case\r\nDetailed feature analysis\r\nOnly some codes were encoded in the early version of TinyPoS, but from TP-Case-2, the main code located at a\r\nspecific offset is decoded by XOR and then executed. This process is repeated until a specific 4-byte value\r\n(0xCFCFCFCF) comes out. Afterward, a mutex is created to prevent duplicate execution.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/operation-synctrek-e5013df8d167\r\nPage 8 of 17\n\n[Figure 7] Decoding process of TinyPos\r\nPress enter or click to view image in full size\r\n[Figure 7–1] Comparison of Encoded binary and Decoded binary\r\nTinyPoS attempts to read all the running processes of memory except for specific processes listed by TinyPoS in\r\norder to collect the card data. When reading the memory, it only reads the page lists that matches a certain\r\ncondition in table below. For TP-Case-2 and 3, PAGE_READWRITE and MEM_PRIVATE are not checked.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/operation-synctrek-e5013df8d167\r\nPage 9 of 17\n\n[Table 2] Memory property to be scraped\r\nThe flow chart of the track 1 and 2 data extraction and verification process in memory is described in below.\r\nWhen searching Track 1, for a wider search, it searches for 120 bytes, which is 40 bytes larger than the maximum\r\nlength defined in the standard, and Track 2, it searches for 40 bytes, which is the same as the standard maximum\r\nlength.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/operation-synctrek-e5013df8d167\r\nPage 10 of 17\n\n[Figure 8] Overall track data extraction and verification process\r\nAfter going through the above process, refined data containing actual information is extracted, excluding the\r\nstarting characters such as ‘%’ or ‘;’ and the LRC value. After that, set the buffer in the format of ‘[Track Data] *\r\n[Process]**xx[LocalIP]\\[ComputerName]’ by combining the local IP of the running server and the computer\r\nname, and then XOR-encode the data in units of 8 bytes using the value 0x6d2a1f3cb26e0c9f as a key. An 8-byte\r\nidentification value of 0x20202020DD0ADD0A is added to the finally encoded data, then saved in a log file. After\r\nthat, the next memory is searched and the process of extracting and verifying data in Track 1 and 2 is repeated.\r\nAs a result of comparing various versions, an adversary’s mistake was found in the initial code.\r\nIn TP-Case-1, the search length of Track 1 was 60 bytes, and the search length of Track 2 was 120 bytes. It was\r\nreversed in size and was fixed in a later version.\r\nWe’ve noticed parser error of card data as it counts the space in between the strings of 15 to 16 numbers. For\r\ninstance, if there is ‘[8 numbers][multiple spaces][7 numbers]=’, this pattern is recognized as a card number or\r\ncard data that successfully runs through the validation process and stored in the log file of TinyPoS.\r\nhttps://medium.com/s2wlab/operation-synctrek-e5013df8d167\r\nPage 11 of 17\n\nPossibility of Exfiltration\r\nAn attempt to steal card data targeting database-related processes such as MICROS Database Service (resdbs.exe),\r\nSQL Server (sqlsvr), and MySQL (mysqld) was already used by TinyPoS which implies that this method of\r\nexfiltration has been adopted at some point in the past.\r\nEven if a specific data is deleted through a database query, depending on the type of DB, the data deleted by the\r\nquery may still remain in the DB file, such as “mdf” for MS-SQL. The adversary already recognizes these\r\ncharacteristics and attempts to exfiltrate. Thus, in the case of TA505, we firmly believe that this notorious threat\r\nactor behind the clop ransomware recognized the above circumstances.\r\nTherefore, we advise in the case of DBA (Database Administrator) dealing with sensitive data, it is necessary to\r\nunderstand and recognize these databases’ forensic characteristics when operating the system. All event logs are\r\ndeleted due to event log deletion feature by clop ransomware making hard for scrutinizing forensic evidence, but\r\nwe’ve noticed that the adversary set their own base server inside and installed TinyPoS on each server using\r\nPsExec initially and TinyMet afterward, and finally collected sensitive data.\r\nPossibility of Misuse of the Stolen Card Information\r\nTrack 1 and 2 data standards follow the international standard ISO/IEC 7813. According to this standard, items\r\nsuch as PVKI, PVV, and CVC are included in the Discretionary Data part. In practice, it is structured in the form\r\nof a combination of the cardholder verification code and a one-way hash value generated by combining\r\ninformation such as card number and expiration date.\r\nAlso, the CVV (Card Verification Value) stored in Track 2 is a number for checking the integrity of Track data,\r\ncalled CVV1, and has a different value from CVV2 marked on the actual card used for online transactions.\r\nTherefore, in most online shopping malls that require CVV2, making a payment with only Track 2 data is\r\nimpossible. Some shopping malls do not request CVV2 information as in quick payment, but there must be\r\nadditional information given in alternation with not providing CVV2.\r\nGet S2W’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nHowever, after going through some processes with Track 2, it is possible to use the duplicated card offline. Special\r\nhardware equipment and programs are required to duplicate a card, which can be requested to a third party\r\nthrough Deep Web/Dark Web. Since there are flooding number of carding forums already exist and are active, this\r\nis not bothered at all. Therefore, the card information is one of the data actively traded. Card data stolen by an\r\nadversary can be exploited directly, but it can be sold on dark web forums or carding forums to reduce the risk of\r\nusing duplicate cards offline. If data is sold in this way, since it is leaked to a person who is willing to abuse it,\r\npayment by a third party may occur afterward, resulting in actual damage due to the card leakage accident.\r\nCorrelation Analysis\r\nhttps://medium.com/s2wlab/operation-synctrek-e5013df8d167\r\nPage 12 of 17\n\nClop\r\nIn the early days of Clop ransomware, CobaltStrike and FlawedAmmyy were used. FlawedAmmyy is a remote\r\ncontrol tool developed by exploiting a specific remote management solution’s source code. It has been used before\r\nTA505 that has been utilized as a Clop ransomware attack; nevertheless, both FlawedAmmyy and Clop\r\nransomware has been packed by the identical packing, also a few features of malicious code was signed by an\r\nidentical certificates.\r\nAfterwards, the attack was attempted using Amadey Bot, SDBbot, Get2, FlawedGrace, etc. Clop ransomware\r\ntargets the AD environment and is distributed in bulk after taking over administrator privileges.\r\nAzorult\r\nAzorult, which has been packed with the same custom packer as Clop ransomware, also has a function to steal\r\ncredit card information. However, Azorult focuses on collecting digital footprint data such as infected device\r\ninformation, browser information, and coin wallet information rather than credit card information itself. In\r\naddition, since credit card information is also collected from the data stored in the Chrome browser through the\r\nquery seen in the below, it performs slightly different role than TinyPoS intensively steals Track 1 and 2 data.\r\nSELECT name_on_card, expiration_month, expiration_year, card_number_encrypted value FROM credit_cards\r\nAbaddonPoS \u0026 PinkKite\r\nAbaddonPoS is a PoS malware coined its term by Proofpoint in November 2015. On January 2016, Foregenix\r\nreports a malware called TinyPoS, and the known difference in functionality between the two malware was not\r\nsignificant. Only difference was the way of implementation; AbaddonPoS has the shellcode encoded inside, while\r\nTinyPoS did not encoded. In addition, TinyPoS controls the thread branch with the values 0xC0C0C0C and\r\n0xF0F0F0F. This has been also mentioned by Trendmicro through the report released on May 2016.\r\nA similar PoS malware, called PinkKite, was issued in 2018, but in April 2019, Forcepoint’s report stated that the\r\ndifference between TinyPoS and PinkKite seem very similar except whether the leaked information is flowed to\r\nthe network or stored as a file. Further analysis was not doable due to lack of PinkKite hash. In other words,\r\nAbaddonPoS and PinkKite can be seen as the same cluster of malware as TinyPoS. It was also referred to as\r\n“TinyPoS or PinkKite” in a report by CarbonBlack in May 2020.\r\nInitially some differences prevailed, however making the distinction between TinyPoS and AbaddonPoS lacked a\r\npoint after Proofpoint stating TinyPoS as a type of AbaddonPoS.\r\nAfter 2018, this difference has disappeared and is used in the same manner as TP-Case-1, 2, and 3 as mentioned\r\nabove implicating that TA505 is likely to have purchased and used the TinyPoS from a third party. According to\r\nCrowdStrike’s report, the attack group that produced TinyLoader and TinyPoS was named Tiny Spider and\r\nclassified them as a separate group.\r\nhttps://medium.com/s2wlab/operation-synctrek-e5013df8d167\r\nPage 13 of 17\n\n[Table 3] Comparison of AbaddonPoS and TinyPos analyzed by Trendmicro\r\nTinyLoader\r\nTinyLoader is a downloader malware released by Proofpoint along with TinyPoS (aka. AbaddonPoS). TinyLoader\r\nwas used as a downloader for TinyPoS for approximately 4 years until the end of the year 2019. TinyLoader is\r\ncomposed of the same anti-debugging and obfuscation code as TinyPoS, and according to TrendMicro, each\r\nmodule that performs screen capture and process information collection can be additionally downloaded from the\r\nC\u0026C server. The additional module download method is performed through the payload in charge of HTTP\r\ncommunication, and TinyPoS is also downloaded in the identical method.\r\nAccording to Talos’ report released in November 2019, DoppelPaymer, TinyPoS, SVCHOST SAMPLE, etc., were\r\ndistributed from the same server. As a result of our analysis, SVCHOST SAMPLE was identical to TinyLoader.\r\nThat is, TinyLoader, TinyPoS, and DoppelPaymer were distributed together from one server. At that time, the\r\ndistributed TinyPoS was TP-Case-1. Through this, it was confirmed that the Powershell-type TinyPoS execution\r\nmethod was used in other incidents after at least April 2019.\r\nSince TinyLoader is also distributed from the same server, it is assumed that TinyPoS of TP-Case-1 is also\r\ninstalled through TinyLoader. Furthermore, PsExec was discovered from the same server. For that reason, the\r\nattack flow at that time was as follows.\r\nPsExec → [TinyLoader] → TinyPoS → DoppelPaymer\r\nhttps://medium.com/s2wlab/operation-synctrek-e5013df8d167\r\nPage 14 of 17\n\nHowever, according to the result of our recent incident response, the attack flow has been changed slightly as\r\nfollows.\r\nPsExec → [TinyMet or CobaltStrike] → TinyPoS → Clop ransomware\r\nIn addition, it was confirmed that Vawtrak derived from Gozi downloaded TinyLoader, and it has evolved into\r\nmalware called IcedID.\r\nAccording to CrowdStrike, the IcedID malware is currently run by the Lunar Spider, and it has been confirmed\r\nthat TinyLoader was distributed from the IcedID in 2019 following the Vawtrak malware in 2015.\r\nDoppelPaymer\r\nAccording to Talos’s report mentioned above, DoppelPaymer ransomware was also distributed from the same\r\nserver. DoppelPaymer is very similar in source code to BitPaymer ransomware.\r\nESET reports that BitPaymer and Dridex malware are related in several ways. As a result, it was revealed that the\r\nsame developer produced the two different malware. Also, the analysis results of CrowdStrike show that Dridex\r\nmalware and BitPaymer ransomware were found in identical incidents which strengthens the fact that it must be\r\nthe same developing group.\r\n8 months later, an analysis report released by CrowdStrike revealed that DoppelPaymer was derived from\r\nBitPaymer. Some Evil Corp personnel that developed Dridex were separated into a threat group called Doppel\r\nSpider and attempted an attack using DoppelPaymer. It is also known that the group developed DoppelDridex,\r\nknown as Dridex 2.0 version. The overall information can be seen in CERT-FR’s CTI report.\r\nCurrently, Evil corp is mainly used to refer to the Indrik Spider, and it attempts to attack using WastedLocker\r\ninstead of the BitPaymer. No assurance can be stated that Doppel Spider has purchased these tools from Tiny\r\nSpider that operates TinyLoader and TinyPoS, however, we can assume close relation between the two\r\norganizations by the above-mentioned facts.\r\nProLock\r\nAfter TP-Case-1 was mentioned in the November 2019 Talos report, TinyPoS reappeared in the report released by\r\nCarbonBlack in May 2020. Although the PowerShell script is slightly different, it is assumed to be of the TP-Case-3 type. Malware mentioned in this report also appeared in VISA analysis report on September 2020.\r\nThrough this, we assume that the change was made from TP-Case-1 to TP-Case-3 over the course of six months.\r\nNorfolkinfosec confirmed the above information and conducted further analysis, revealing that the decoding code\r\npattern of TinyPoS is the same as that of ProLock ransomware except the check value of TinyPoS is\r\n‘0xCFCFCFCF’, while ProLock is ‘0xC4C4C4C4’. The IoC released by Norfolkinfosec contains ProLock\r\nmalware with the same file name as the “readme” of TP-Case-2 described in this report.\r\nGroup-IB released its analysis report for ProLock in May 2020. The PowerShell script that executes ProLock is\r\nalmost the same as the one used when executing TP-Case-3. And, the batch scripts that register the scheduler task\r\nin TP-Case-1 and 3 are also mentioned in the Talos report.\r\nhttps://medium.com/s2wlab/operation-synctrek-e5013df8d167\r\nPage 15 of 17\n\nFinally, we have confirmed the similar features between two malware, ProLock and TinyPos.\r\n1. Primary work path (C:\\ProgramData)\r\n2. Anti-debugging technique\r\n3. Decoding code\r\n4. Hard-coding pattern of search target process list\r\n5. Process name comparison code\r\n6. Initially Distributed in PE form and then as a binary blob\r\n7. The use of ‘*’ for buffer initialization (ProLock) and delimiter (TinyPoS )\r\nIn conclusion, it is highly likely that these results are derived from the same developer. We can assume that Tiny\r\nSpider has also started the ransomware business with ProLock but the client seems to moved to Egregor\r\nransomware due to issues associated with ProLock.\r\nOverall Connection\r\nConclusion\r\nAs the spread of IC (integrated circuit) cards increases, the damage to companies or financial sectors caused by\r\nPoS malware is gradually decreasing. However, card data that cannot be identified where it was stolen is being\r\ntraded on the DDW (Deepweb and Darkweb). Even if a firm securely manages the card data and the related\r\ndevice, if the backed-up data in the past is not properly managed, an adversary can target this gap and steal\r\nimportant information. Usually, card data theft is secretly and continuously performed so that victims cannot\r\nnotice it immediately, so it is not easy to determine whether there is an infection.\r\nTinyPoS is frequently found in many other card data theft incidents as well as ransomware incidents related to\r\nDoppelPaymer and Clop. In this attack, the adversary continuously used various versions of TinyPoS, updating\r\nthe code in a frequent manner, such as changing the list of processes to be collected and amending the minor\r\nmistakes in a prompt manner. It means that the developers of TinyPoS have sold the source code or are working\r\nclosely with buyers.\r\nCountless cybercrime threat actors are already increasing the cybercrime scale by cooperating by selling each\r\nother’s resources. As ransomware attack organizations increase and the cyber black market grows, cooperation\r\namong these criminal organizations will continue.\r\nCybercriminals encrypt crucial files in the enterprise, by extorting money as hostages for stolen confidential\r\ninformation or customer data. These ransomware gangs will come up with various ways to acquire cash besides\r\nthe existing attack methods using only ransomware. In the early days of ransomware, encrypted files were used as\r\nbait. Since then, the entire MBR was encrypted, the negotiation amount increased over time, targeting companies\r\nwith relatively sufficient funds and attacking high-level executives. Various strategies are emerging each time.\r\nMost recently, there have been threats to attempt a DDoS attack if the negotiations are not accepted.\r\nThe hijacking of card data is one of these strategies, and if it is successful, the adversary can request a higher\r\namount of money from the victim. Even if negotiations fail, the stolen card data can benefit. In addition to TA505\r\nhttps://medium.com/s2wlab/operation-synctrek-e5013df8d167\r\nPage 16 of 17\n\nin this report, FIN6 also has malware such as Ryuk, LockerGoga ransomware, and GratefulPoS. We confirmed\r\nthat Revil (Sodinokibi) operator is also interested in PoS software.\r\nRansomware gangs that are good at infiltrating and stealing data continue to stay within the enterprise and seek\r\nvaluable assets. They will use a variety of strategies to monetize these data. These attempts will increase in the\r\nfuture, and ultimately, adversaries will continue to think about ways to make more money.\r\nSource: https://medium.com/s2wlab/operation-synctrek-e5013df8d167\r\nhttps://medium.com/s2wlab/operation-synctrek-e5013df8d167\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://medium.com/s2wlab/operation-synctrek-e5013df8d167" ], "report_names": [ "operation-synctrek-e5013df8d167" ], "threat_actors": [ { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "c2385aea-d30b-4dbc-844d-fef465cf3ea9", "created_at": "2023-01-06T13:46:38.916521Z", "updated_at": "2026-04-10T02:00:03.144667Z", "deleted_at": null, "main_name": "LUNAR SPIDER", "aliases": [ "GOLD SWATHMORE" ], "source_name": "MISPGALAXY:LUNAR SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4b076dcb-516e-42fb-9c8f-f153902cd5e9", "created_at": "2022-10-25T16:07:23.708745Z", "updated_at": "2026-04-10T02:00:04.720108Z", "deleted_at": null, "main_name": "Hidden Lynx", "aliases": [ "Aurora Panda", "Group 8", "Heart Typhoon", "Hidden Lynx", "Operation SMN" ], "source_name": "ETDA:Hidden Lynx", "tools": [ "AGENT.ABQMR", "AGENT.AQUP.DROPPER", "AGENT.BMZA", "AGENT.GUNZ", "BlackCoffee", "HiKit", "MCRAT.A", "Mdmbot.E", "Moudoor", "Naid", "PNGRAT", "Trojan.Naid", "ZoxPNG", "gresim" ], "source_id": "ETDA", "reports": null }, { "id": "168848e1-54f8-43ba-b3f1-650be9b08081", "created_at": "2023-01-06T13:46:38.913608Z", "updated_at": "2026-04-10T02:00:03.143639Z", "deleted_at": null, "main_name": "TINY SPIDER", "aliases": [], "source_name": "MISPGALAXY:TINY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "d706edf6-cb86-4611-99e1-4b464e9dc5b9", "created_at": "2023-01-06T13:46:38.839083Z", "updated_at": "2026-04-10T02:00:03.117987Z", "deleted_at": null, "main_name": "INDRIK SPIDER", "aliases": [ "Manatee Tempest" ], "source_name": "MISPGALAXY:INDRIK SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7cfe3bc9-7a6c-4ee1-a635-5ea7b947147f", "created_at": "2024-06-19T02:03:08.122318Z", "updated_at": "2026-04-10T02:00:03.652418Z", "deleted_at": null, "main_name": "GOLD SWATHMORE", "aliases": [ "Lunar Spider " ], "source_name": "Secureworks:GOLD SWATHMORE", "tools": [ "Cobalt Strike", "GlobeImposter", "Gozi", "Gozi Trojan", "IcedID", "Latrodectus", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "ab0b3abd-7947-4a56-a03a-a3fd1009d89f", "created_at": "2022-10-25T16:07:24.326862Z", "updated_at": "2026-04-10T02:00:04.93806Z", "deleted_at": null, "main_name": "Tiny Spider", "aliases": [], "source_name": "ETDA:Tiny Spider", "tools": [ "PinkKite", "PsExec", "TinyLoader", "TinyPOS" ], "source_id": "ETDA", "reports": null }, { "id": "475ea823-9e47-4098-b235-0900bc1a5362", "created_at": "2022-10-25T16:07:24.506596Z", "updated_at": "2026-04-10T02:00:05.015497Z", "deleted_at": null, "main_name": "Lunar Spider", "aliases": [ "Gold SwathMore" ], "source_name": "ETDA:Lunar Spider", "tools": [ "BokBot", "IceID", "IcedID", "NeverQuest", "Vawtrak", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "a7aefdda-98f1-4790-a32d-14cc99de2d60", "created_at": "2023-01-06T13:46:38.281844Z", "updated_at": "2026-04-10T02:00:02.909711Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "BRONZE KEYSTONE", "G0025", "Group 72", "G0001", "HELIUM", "Heart Typhoon", "Group 8", "AURORA PANDA", "Hidden Lynx", "Tailgater Team" ], "source_name": "MISPGALAXY:APT17", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "ccd0f6b5-6d20-4d28-9796-88ab6deb4087", "created_at": "2024-06-19T02:03:08.067518Z", "updated_at": "2026-04-10T02:00:03.671628Z", "deleted_at": null, "main_name": "GOLD HERON", "aliases": [ "Doppel Spider " ], "source_name": "Secureworks:GOLD HERON", "tools": [ "Cobalt Strike", "DoppelPaymer", "Dridex", "Grief", "PowerShell Empire" ], "source_id": "Secureworks", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a0d0e1ef-3562-40a8-a021-321db92644d9", "created_at": "2023-01-06T13:46:39.104046Z", "updated_at": "2026-04-10T02:00:03.2146Z", "deleted_at": null, "main_name": "DOPPEL SPIDER", "aliases": [ "GOLD HERON" ], "source_name": "MISPGALAXY:DOPPEL SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d555c5da-abe4-42aa-a8cf-77b68905891a", "created_at": "2022-10-25T16:07:23.548385Z", "updated_at": "2026-04-10T02:00:04.65211Z", "deleted_at": null, "main_name": "Doppel Spider", "aliases": [ "Gold Heron", "Grief Group" ], "source_name": "ETDA:Doppel Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "DoppelPaymer", "Pay OR Grief", "Pay or Grief", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439037, "ts_updated_at": 1775792197, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5d18e498ed688aa7e38da271bb50c5916d192b5e.pdf", "text": "https://archive.orkl.eu/5d18e498ed688aa7e38da271bb50c5916d192b5e.txt", "img": "https://archive.orkl.eu/5d18e498ed688aa7e38da271bb50c5916d192b5e.jpg" } }