Tiny Spider

Description

(ForcePoint) It all starts with the delivery of a small loader called TinyLoader, an obfuscated executable withsimple–yet powerful –downloader functionality. Upon execution, it will first brute force its own decryption key (a 32-bit value, meaning this takes a fraction of second on modern PCs) before using this to decrypt the main program code.

The core functionality of the decrypted code is communication with a set of hardcoded C2 servers by IP and port. If the C2 is active, it will provide what is effectively a piece of shellcode, encrypted by another 32-bit constant. This shellcode is not ‘fire and forget’: it instead sees the loader establish a semi-interactive two-way communication with the C2. Note that the earliest traits and mentions of TinyLoader go back to as far as 2015.

Names

Name	Name-Giver
Tiny Spider	CrowdStrike

Country

Unknown

Motivation

Financial crime

First Seen

2015

Observed Sectors

Retail

Observed Countries

Worldwide

Tools

Operations

2017: A new family of point-of-sale malware, dubbed PinkKite, has been identified by researchers who say the malware is tiny in size, but can delivered a hefty blow to POS endpoints. https://threatpost.com/new-pos-malware-pinkkite-takes-flight/130428/

Information

https://www.forcepoint.com/sites/default/files/resources/files/report-tinypos-analysis-en.pdf

Other Information

Uuid

ca6c6c94-9ef8-4aa4-8d9e-ad943b9fbe23

Last Card Change

2020-04-14

Threat Intelligence Garden

Explorer

Tiny Spider

Tiny Spider

Description

Names

Country

Motivation

First Seen

Observed Sectors

Observed Countries

Tools

Operations

Information

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks