S0503 FrameworkPOS
FrameworkPOS is a point of sale (POS) malware used by FIN6 to steal payment card data from sytems that run physical POS devices.1
| Item | Value |
|---|---|
| ID | S0503 |
| Associated Names | Trinity |
| Type | MALWARE |
| Version | 1.0 |
| Created | 08 September 2020 |
| Last Modified | 19 October 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Trinity | 1 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.003 | Archive via Custom Method | FrameworkPOS can XOR credit card information before exfiltration.1 |
| enterprise | T1005 | Data from Local System | FrameworkPOS can collect elements related to credit card data from process memory.1 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | FrameworkPOS can identifiy payment card track data on the victim and copy it to a local file in a subdirectory of C:\Windows.2 |
| enterprise | T1048 | Exfiltration Over Alternative Protocol | FrameworkPOS can use DNS tunneling for exfiltration of credit card data.1 |
| enterprise | T1057 | Process Discovery | FrameworkPOS can enumerate and exclude selected processes on a compromised host to speed execution of memory scraping.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0037 | FIN6 | 134 |
References
-
Kremez, V. (2019, September 19). FIN6 “FrameworkPOS”: Point-of-Sale Malware Analysis & Internals. Retrieved September 8, 2020. ↩↩↩↩↩↩↩
-
FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016. ↩
-
CrowdStrike. (2018, February 26). CrowdStrike 2018 Global Threat Report. Retrieved October 10, 2018. ↩
-
Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019. ↩