FrameworkPOS
FrameworkPOS is a point of sale (POS) malware used byFIN6 to steal payment card data from sytems that run physical POS devices.[1]
ID: S0503
ⓘ
Associated Software: Trinity
ⓘ
Type: MALWARE
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.0
Created: 08 September 2020
Last Modified: 25 April 2025
Associated Software Descriptions
| Name | Description |
|---|---|
| Trinity |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1560 | .003 | Archive Collected Data:Archive via Custom Method | FrameworkPOS can XOR credit card information before exfiltration.[1] |
| Enterprise | T1005 | Data from Local System | FrameworkPOS can collect elements related to credit card data from process memory.[1] | |
| Enterprise | T1074 | .001 | Data Staged:Local Data Staging | FrameworkPOS can identifiy payment card track data on the victim and copy it to a local file in a subdirectory of C:\Windows.[2] |
| Enterprise | T1048 | Exfiltration Over Alternative Protocol | FrameworkPOS can use DNS tunneling for exfiltration of credit card data.[1] | |
| Enterprise | T1057 | Process Discovery | FrameworkPOS can enumerate and exclude selected processes on a compromised host to speed execution of memory scraping.[1] | |
Groups That Use This Software
References
×