Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New FrameworkPOS Campaign Gains Momentum

FrameworkPOS, a piece of malware used to capture payment card data from the memory processes running on Point-of-Sale systems, is being used in a new attack campaign, researchers at Anomali warn.

FrameworkPOS, a piece of malware used to capture payment card data from the memory processes running on Point-of-Sale systems, is being used in a new attack campaign, researchers at Anomali warn.

Last month, the FrameworkPOS malware was linked to the operations of a financial threat actor dubbed “FIN6,” which has been monitored by FireEye since 2015. The cybercrime group was targeting organizations in the retail and hospitality sectors and used various tools to escalate their privileges and harvest data.

The FIN6 actors managed to deploy their PoS malware on roughly 2,000 systems to compromise millions of cards, researchers determined. The FrameworkPOS (also known as TRINITY) malware was used to gather data that was then copied to an intermediary system, moved to a staging system, and only then sent to external servers using FTP and public file sharing services.

According to Anomali’s Luis Mendieta, the malware has been relatively quiet over the past several months, yet the actors behind it continued to be active. While they don’t specifically name the FIN6 group as the malware’s operators in this campaign, the Anomali labs researchers do say that the actors have been registering domains to fuel data exfiltration campaigns since mid-2015.

Researchers managed to link the registered domains with data exfiltration campaigns and found that a domain that was registered on July 17, 2015, was used in such a campaign in September. Moreover, they claim that the FrameworkPOS operators registered a domain on December 11, 2015, but used it in an operation only at the end of March 2016.

In the latest campaign, FrameworkPOS operators supposedly compromised over 300 credit card records from two victims, namely a SMB based in Honolulu Hawaii, and another based in Chicago. While analyzing the stolen information, researchers found only track 2 data, although track 1 data was present in other campaigns as well.

The new campaign is not as widespread as similar infection campaigns leveraging the same PoS malware, but it does reveal that the actors behind this threat are still active.

Moreover, Anomali researchers say that they noticed references to PoS software named ALOHA, which could suggest that the threat actor is specifically targeting the Aloha PoS platform, a system offered by NCR for the restaurant industry. 

The FIN6 cybergang has also been observed using Grabnew (also known as Neverquest, Snifula and Vawtrak) in its operations, which is malware that is used to download other malware on the infected systems).

Related: ”Multigrain” PoS Malware Exfiltrates Card Data Over DNS

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.