Skip to content

S0503 FrameworkPOS

FrameworkPOS is a point of sale (POS) malware used by FIN6 to steal payment card data from sytems that run physical POS devices.1

Item Value
ID S0503
Associated Names Trinity
Version 1.0
Created 08 September 2020
Last Modified 19 October 2020
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Trinity 1

Techniques Used

Domain ID Name Use
enterprise T1560 Archive Collected Data -
enterprise T1560.003 Archive via Custom Method FrameworkPOS can XOR credit card information before exfiltration.1
enterprise T1005 Data from Local System FrameworkPOS can collect elements related to credit card data from process memory.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging FrameworkPOS can identifiy payment card track data on the victim and copy it to a local file in a subdirectory of C:\Windows.2
enterprise T1048 Exfiltration Over Alternative Protocol FrameworkPOS can use DNS tunneling for exfiltration of credit card data.1
enterprise T1057 Process Discovery FrameworkPOS can enumerate and exclude selected processes on a compromised host to speed execution of memory scraping.1

Groups That Use This Software

ID Name References
G0037 FIN6 134