- May 7, 2016
- 1,311
FrameworkPOS, a piece of malware used to capture payment card data from the memory processes running on Point-of-Sale systems, is being used in a new attack campaign, researchers at Anomali warn.
Last month, the FrameworkPOS malware was linked to the operations of a financial threat actor dubbed “FIN6,” which has been monitored by FireEye since 2015. The cybercrime group was targeting organizations in the retail and hospitality sectors and used various tools to escalate their privileges and harvest data.
The FIN6 actors managed to deploy their PoS malware on roughly 2,000 systems to compromise millions of cards, researchers determined. The FrameworkPOS (also known as TRINITY) malware was used to gather data that was then copied to an intermediary system, moved to a staging system, and only then sent to external servers using FTP and public file sharing services.
According to Anomali’s Luis Mendieta, the malware has been relatively quiet over the past several months, yet the actors behind it continued to be active. While they don’t specifically name the FIN6 group as the malware’s operators in this campaign, the Anomali labs researchers do say that the actors have been registering domains to fuel data exfiltration campaigns since mid-2015.
Researchers managed to link the registered domains with data exfiltration campaigns and found that a domain that was registered on July 17, 2015, was used in such a campaign in September. Moreover, they claim that the FrameworkPOS operators registered a domain on December 11, 2015, but used it in an operation only at the end of March 2016.
Read Full Story:New FrameworkPOS Campaign Gains Momentum | SecurityWeek.Com
Last month, the FrameworkPOS malware was linked to the operations of a financial threat actor dubbed “FIN6,” which has been monitored by FireEye since 2015. The cybercrime group was targeting organizations in the retail and hospitality sectors and used various tools to escalate their privileges and harvest data.
The FIN6 actors managed to deploy their PoS malware on roughly 2,000 systems to compromise millions of cards, researchers determined. The FrameworkPOS (also known as TRINITY) malware was used to gather data that was then copied to an intermediary system, moved to a staging system, and only then sent to external servers using FTP and public file sharing services.
According to Anomali’s Luis Mendieta, the malware has been relatively quiet over the past several months, yet the actors behind it continued to be active. While they don’t specifically name the FIN6 group as the malware’s operators in this campaign, the Anomali labs researchers do say that the actors have been registering domains to fuel data exfiltration campaigns since mid-2015.
Researchers managed to link the registered domains with data exfiltration campaigns and found that a domain that was registered on July 17, 2015, was used in such a campaign in September. Moreover, they claim that the FrameworkPOS operators registered a domain on December 11, 2015, but used it in an operation only at the end of March 2016.
Read Full Story:New FrameworkPOS Campaign Gains Momentum | SecurityWeek.Com
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
