1. Home
  2. Software
  3. FrameworkPOS

FrameworkPOS

FrameworkPOS is a point of sale (POS) malware used by FIN6 to steal payment card data from sytems that run physical POS devices.[1]

ID: S0503
Associated Software: Trinity
Type: MALWARE
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.0
Created: 08 September 2020
Last Modified: 19 October 2020

Associated Software Descriptions

Name Description
Trinity

[1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1560 .003 Archive Collected Data: Archive via Custom Method

FrameworkPOS can XOR credit card information before exfiltration.[1]
Enterprise T1005 Data from Local System

FrameworkPOS can collect elements related to credit card data from process memory.[1]
Enterprise T1074 .001 Data Staged: Local Data Staging

FrameworkPOS can identifiy payment card track data on the victim and copy it to a local file in a subdirectory of C:\Windows.[2]
Enterprise T1048 Exfiltration Over Alternative Protocol

FrameworkPOS can use DNS tunneling for exfiltration of credit card data.[1]
Enterprise T1057 Process Discovery

FrameworkPOS can enumerate and exclude selected processes on a compromised host to speed execution of memory scraping.[1]

Groups That Use This Software

ID Name References
G0037 FIN6

[1][3][4]

References

  1. Kremez, V. (2019, September 19). FIN6 “FrameworkPOS”: Point-of-Sale Malware Analysis & Internals. Retrieved September 8, 2020.
  2. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
  1. CrowdStrike. (2018, February 26). CrowdStrike 2018 Global Threat Report. Retrieved October 10, 2018.
  2. Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019.