FrameworkPOS, a piece of malware used to capture payment card data from the memory processes running on Point-of-Sale systems, is being used in a new attack campaign, researchers at Anomali warn.
Last month, the FrameworkPOS malware was linked to the operations of a financial threat actor dubbed “FIN6,” which has been monitored by FireEye since 2015. The cybercrime group was targeting organizations in the retail and hospitality sectors and used various tools to escalate their privileges and harvest data.
The FIN6 actors managed to deploy their PoS malware on roughly 2,000 systems to compromise millions of cards, researchers determined. The FrameworkPOS (also known as TRINITY) malware was used to gather data that was then copied to an intermediary system, moved to a staging system, and only then sent to external servers using FTP and public file sharing services.
According to Anomali’s Luis Mendieta, the malware has been relatively quiet over the past several months, yet the actors behind it continued to be active. While they don’t specifically name the FIN6 group as the malware’s operators in this campaign, the Anomali labs researchers do say that the actors have been registering domains to fuel data exfiltration campaigns since mid-2015.
Researchers managed to link the registered domains with data exfiltration campaigns and found that a domain that was registered on July 17, 2015, was used in such a campaign in September. Moreover, they claim that the FrameworkPOS operators registered a domain on December 11, 2015, but used it in an operation only at the end of March 2016.
In the latest campaign, FrameworkPOS operators supposedly compromised over 300 credit card records from two victims, namely a SMB based in Honolulu Hawaii, and another based in Chicago. While analyzing the stolen information, researchers found only track 2 data, although track 1 data was present in other campaigns as well.
The new campaign is not as widespread as similar infection campaigns leveraging the same PoS malware, but it does reveal that the actors behind this threat are still active.
Moreover, Anomali researchers say that they noticed references to PoS software named ALOHA, which could suggest that the threat actor is specifically targeting the Aloha PoS platform, a system offered by NCR for the restaurant industry.
The FIN6 cybergang has also been observed using Grabnew (also known as Neverquest, Snifula and Vawtrak) in its operations, which is malware that is used to download other malware on the infected systems).
Related: ”Multigrain” PoS Malware Exfiltrates Card Data Over DNS
More from SecurityWeek News
- Threat Hunting Summit Virtual Event NOW LIVE
- Video: ESG – CISO’s Guide to an Emerging Risk Cornerstone
- Threat Modeling Firm IriusRisk Raises $29 Million
- SentinelOne Announces $100 Million Venture Fund
- Today: 2022 CISO Forum Virtual Event
- Cymulate Closes $70M Series D Funding Round
- SecurityWeek to Host CISO Forum Virtually September 13-14, 2022: Registration is Open
- Privilege Escalation Flaw Haunts VMware Tools
Latest News
- 30k Internet-Exposed QNAP NAS Devices Affected by Recent Vulnerability
- Cyber Insights 2023: ICS and Operational Technology
- Cyber Insights 2023: The Geopolitical Effect
- Cyber Insights 2023: Criminal Gangs
- Unpatched Econolite Traffic Controller Vulnerabilities Allow Remote Hacking
- Google Fi Data Breach Reportedly Led to SIM Swapping
- Sentra Raises $30 Million for DSPM Technology
- Cyber Insights 2023: Cyberinsurance
