ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > Tiny Spider

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Tiny Spider

NamesTiny Spider (CrowdStrike)
MotivationFinancial crime
First seen2015
Description(ForcePoint) It all starts with the delivery of a small loader called TinyLoader, an obfuscated executable withsimple–yet powerful –downloader functionality. Upon execution, it will first brute force its own decryption key (a 32-bit value, meaning this takes a fraction of second on modern PCs) before using this to decrypt the main program code.

The core functionality of the decrypted code is communication with a set of hardcoded C2 servers by IP and port. If the C2 is active, it will provide what is effectively a piece of shellcode, encrypted by another 32-bit constant. This shellcode is not ‘fire and forget’: it instead sees the loader establish a semi-interactive two-way communication with the C2. Note that the earliest traits and mentions of TinyLoader go back to as far as 2015.
ObservedSectors: Retail.
Countries: Worldwide.
Tools usedPinkKite, PsExec, TinyPOS, TinyLoader.
Operations performed2017A new family of point-of-sale malware, dubbed PinkKite, has been identified by researchers who say the malware is tiny in size, but can delivered a hefty blow to POS endpoints.

Last change to this card: 14 April 2020

Download this actor card in PDF or JSON format

Previous: Terbium
Next: ToddyCat

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]