FrameworkPOS, a piece of malware used to capture payment card data from the memory processes running on Point-of-Sale systems, is being used in a new attack campaign, researchers at Anomali warn.
Last month, the FrameworkPOS malware was linked to the operations of a financial threat actor dubbed “FIN6,” which has been monitored by FireEye since 2015. The cybercrime group was targeting organizations in the retail and hospitality sectors and used various tools to escalate their privileges and harvest data.
The FIN6 actors managed to deploy their PoS malware on roughly 2,000 systems to compromise millions of cards, researchers determined. The FrameworkPOS (also known as TRINITY) malware was used to gather data that was then copied to an intermediary system, moved to a staging system, and only then sent to external servers using FTP and public file sharing services.
According to Anomali’s Luis Mendieta, the malware has been relatively quiet over the past several months, yet the actors behind it continued to be active. While they don’t specifically name the FIN6 group as the malware’s operators in this campaign, the Anomali labs researchers do say that the actors have been registering domains to fuel data exfiltration campaigns since mid-2015.
Researchers managed to link the registered domains with data exfiltration campaigns and found that a domain that was registered on July 17, 2015, was used in such a campaign in September. Moreover, they claim that the FrameworkPOS operators registered a domain on December 11, 2015, but used it in an operation only at the end of March 2016.
In the latest campaign, FrameworkPOS operators supposedly compromised over 300 credit card records from two victims, namely a SMB based in Honolulu Hawaii, and another based in Chicago. While analyzing the stolen information, researchers found only track 2 data, although track 1 data was present in other campaigns as well.
The new campaign is not as widespread as similar infection campaigns leveraging the same PoS malware, but it does reveal that the actors behind this threat are still active.
Moreover, Anomali researchers say that they noticed references to PoS software named ALOHA, which could suggest that the threat actor is specifically targeting the Aloha PoS platform, a system offered by NCR for the restaurant industry.
The FIN6 cybergang has also been observed using Grabnew (also known as Neverquest, Snifula and Vawtrak) in its operations, which is malware that is used to download other malware on the infected systems).