FrameworkPOS is a point of sale (POS) malware used by FIN6 to steal payment card data from sytems that run physical POS devices.
|Enterprise||T1560||.003||Archive Collected Data: Archive via Custom Method||
FrameworkPOS can XOR credit card information before exfiltration.
|Enterprise||T1005||Data from Local System||
FrameworkPOS can collect elements related to credit card data from process memory.
|Enterprise||T1074||.001||Data Staged: Local Data Staging||
FrameworkPOS can identifiy payment card track data on the victim and copy it to a local file in a subdirectory of C:\Windows.
|Enterprise||T1048||Exfiltration Over Alternative Protocol||
FrameworkPOS can use DNS tunneling for exfiltration of credit card data.
FrameworkPOS can enumerate and exclude selected processes on a compromised host to speed execution of memory scraping.