Improved FrameWorkPOS spotted alive and well in the wild

Researchers at ThreatStream Labs have observed new campaigns using FrameWorkPOS malware.
Researchers at ThreatStream Labs have observed new campaigns using FrameWorkPOS malware.

It's alive! FrameWorkPOS is still in the wild and it's better than ever with a recent campaign stealing 43,000 credit cards, according to researchers at ThreatStream Labs.

In a Thursday blog post, the researchers noted that a sample of the malware family, aimed at point-of-sale systems, indicated that bad actors have made improvements to the original iteration in subsequent versions.

We were able to leverage passive DNS data to learn more about its scope and some of the victims. The data gave us insight to the following:

“During the analysis of the data 3 different campaigns were observed,” the blog post said, noting that researchers leveraged passive DNS data to gain more insight about the scope of the campaigns and their victims. They noted one campaign to be “more active than others.” What the researchers referred to as the grp10 campaign infected the most hosts though its “running timeframe was 2.5 months which is very short compared to” another campaign, known as grp05. That latter campaign ran from August 2015 to February 2016. The third campaign, grp03, ran for two months but infected 10 IPs.

The researchers noted a total of 67 unique IPs infected and distributed between the U.S. and Russia.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS