FrameworkPOS is a point-of-sale malware, a threat that was created to collect the victims' credit card and financial information when they make a payment at a retailer. FrameworkPOS is developed by FIN6, a group that has been carrying out similar attacks since early 2016. They first received attention when they sold nearly twenty million credit card numbers on the Dark Web. It is clear that the criminals responsible for FrameworkPOS have made millions of dollars in profits from these attacks and pose a significant threat to computer users around the world.
How FrameworkPOS can Be Installed on a Computer
FrameworkPOS is designed to collect credit card data from devices on an infected network. FrameworkPOS will be installed by taking advantage of known exploits, which may include CVE-2013-3660, CVE-2011-2005, and CVE-2010-4398 on systems using the Windows operating system. Once FrameworkPOS is installed, it can map a network and infect numerous devices, establishing a connection with a Command and Control server to relay all collected payment data to its controllers. FrameworkPOS will intercept payment data in the payment processing device, creating a log file that will record it. The FrameworkPOS's Command and Control servers receive this data in a password protected ZIP file.
Other Malware Attacks Have Been Linked to FrameworkPOS
Malware attacks by itself rarely. If there is malware on a network, it is likely that other infections also have managed to find their way to it. FrameworkPOS has been linked to ransomware attacks, which may be deployed on infected devices as a second way to generate revenue at the expense of the victims of the attack. The devices on a compromised network that are not connected to a payment terminal will be infected with a ransomware variant, typically malware in the Ryuk Ransomware or LockerGoga Ransomware families. These threats will use a strong encryption algorithm to make the victim's user-generated files inaccessible, and target files with file extensions such as the following:
.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, , .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar.
Once the victim's files have been compromised, they will not be recoverable. Because of this, computer users will need to reinstall any compromised files from a backup copy, and will often have to completely reinstall the operating system on a device to ensure that the FrameworkPOS infection or the associated ransomware infection is gone completely.
Protecting Your Network from Threats Like FrameworkPOS
It is clear that FrameworkPOS poses a serious threat. Because of this, networks administrators need to ensure that their devices are well protected. Strong security measures, security software, and regular updates can mitigate the effect of attacks like FrameworkPOS's on a network and potential customers.