FrameworkPOS is a point of sale (POS) malware used by FIN6 to steal payment card data from sytems that run physical POS devices.[1]

ID: S0503
Associated Software: Trinity
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.0
Created: 08 September 2020
Last Modified: 19 October 2020

Associated Software Descriptions

Name Description


Techniques Used

Domain ID Name Use
Enterprise T1560 .003 Archive Collected Data: Archive via Custom Method

FrameworkPOS can XOR credit card information before exfiltration.[1]

Enterprise T1005 Data from Local System

FrameworkPOS can collect elements related to credit card data from process memory.[1]

Enterprise T1074 .001 Data Staged: Local Data Staging

FrameworkPOS can identifiy payment card track data on the victim and copy it to a local file in a subdirectory of C:\Windows.[2]

Enterprise T1048 Exfiltration Over Alternative Protocol

FrameworkPOS can use DNS tunneling for exfiltration of credit card data.[1]

Enterprise T1057 Process Discovery

FrameworkPOS can enumerate and exclude selected processes on a compromised host to speed execution of memory scraping.[1]

Groups That Use This Software

ID Name References
G0037 FIN6