Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New FrameworkPOS Campaign Gains Momentum

FrameworkPOS, a piece of malware used to capture payment card data from the memory processes running on Point-of-Sale systems, is being used in a new attack campaign, researchers at Anomali warn.

FrameworkPOS, a piece of malware used to capture payment card data from the memory processes running on Point-of-Sale systems, is being used in a new attack campaign, researchers at Anomali warn.

Last month, the FrameworkPOS malware was linked to the operations of a financial threat actor dubbed “FIN6,” which has been monitored by FireEye since 2015. The cybercrime group was targeting organizations in the retail and hospitality sectors and used various tools to escalate their privileges and harvest data.

The FIN6 actors managed to deploy their PoS malware on roughly 2,000 systems to compromise millions of cards, researchers determined. The FrameworkPOS (also known as TRINITY) malware was used to gather data that was then copied to an intermediary system, moved to a staging system, and only then sent to external servers using FTP and public file sharing services.

According to Anomali’s Luis Mendieta, the malware has been relatively quiet over the past several months, yet the actors behind it continued to be active. While they don’t specifically name the FIN6 group as the malware’s operators in this campaign, the Anomali labs researchers do say that the actors have been registering domains to fuel data exfiltration campaigns since mid-2015.

Researchers managed to link the registered domains with data exfiltration campaigns and found that a domain that was registered on July 17, 2015, was used in such a campaign in September. Moreover, they claim that the FrameworkPOS operators registered a domain on December 11, 2015, but used it in an operation only at the end of March 2016.

In the latest campaign, FrameworkPOS operators supposedly compromised over 300 credit card records from two victims, namely a SMB based in Honolulu Hawaii, and another based in Chicago. While analyzing the stolen information, researchers found only track 2 data, although track 1 data was present in other campaigns as well.

The new campaign is not as widespread as similar infection campaigns leveraging the same PoS malware, but it does reveal that the actors behind this threat are still active.

Moreover, Anomali researchers say that they noticed references to PoS software named ALOHA, which could suggest that the threat actor is specifically targeting the Aloha PoS platform, a system offered by NCR for the restaurant industry. 

Advertisement. Scroll to continue reading.

The FIN6 cybergang has also been observed using Grabnew (also known as Neverquest, Snifula and Vawtrak) in its operations, which is malware that is used to download other malware on the infected systems).

Related: ”Multigrain” PoS Malware Exfiltrates Card Data Over DNS

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.