FrameworkPOS is a point of sale malware used by Fin6 to steal payment card data from physical POS devices systems. FrameworkPOS affects the operating systems Windows Vista and Windows 7, and can enumerate and exclude selected processes on a compromised host to speed execution of memory scraping.
FrameworkPOS can use DNS tunneling for exfiltration of credit card data. FrameworkPOS can identify payment card track data on the victim and copy it to a local file in a subdirectory of C:\Windows\. FrameworkPOS can collect elements related to credit card data from process memory. FrameworkPOS can XOR credit card information before exfiltration.
Table of Contents
FrameworkPOS Malware Capabilities
- The FrameworkPOS malware may attempt to get information about running processes on a system in order to gain an understanding of common software/applications running on systems within the network. Additionally, FrameworkPOS may use collected data to stage Exfiltration to a central location or directory on the local system.
Ways to Mitigate FrameworkPOS Malware Attacks Capabilities
- FrameworkPOS malware attacks can be mitigated in a few ways: by analyzing network data for unusual data flows, by monitoring processes that may be reading and writing data to suspicious locations, and by monitoring publicly writeable directories for compressed or encrypted data. These steps can help to detect and prevent data exfiltration and other malicious activity.
About Fin6 Threat Group
The Fin6 group has stolen payment card data and sold it on underground marketplaces, targeting point of sale systems in the hospitality and retail sectors.
Leave a Reply
Thank you for your response.
Please verify that you are not a robot.