FrameworkPOS, aka TRINITY, is POS malware associated with a threat actor FIN6. It is designed to capture physical point-of-sales systems in order to gain Track1 and Track2 data, which includes credit card account number, expiration date, and more. The ability to perform such attacks arises from the fact that when credit cards are scanned on physical POS devices, the data gathered from the magnetic strip remains un-encrypted in memory until it is sent to its destination. Once FrameworkPOS identifies track data, it copies and encodes it to a local file in a sub directory of the c:windows directory while attempting to conceal these files with .dll or .chm extensions. To move the stolen payment card information out of the environment, FIN6 used a script to systematically iterate through a list of compromised POS systems, copying the harvested track data files to a numbered "log" file before removing the original data files. This version of the FrameworkPOS, expands its scanner logic to cover a wider variety Track1 and Track2 data to be collected. Once gathered, the stolen data is obfuscated and XOR encoded. XOR encoding is also used to ex-filtrate the data using a ping request with the DNS protocol.
FrameworkPOS Malware Signatures
FrameworkPOS Malware Download